Edit tour

Windows Analysis Report
HqvlYZC7Gf.exe

Overview

General Information

Sample name:	HqvlYZC7Gf.exe (renamed file extension from none to exe)
Original sample name:	HqvlYZC7Gf
Analysis ID:	1534090
MD5:	2cdb760530ec92b79ee2bf80371cac90
SHA1:	70ef5a50636afaaa91ff0cb0df77f7e2fe14b6b2
SHA256:	e0e9067bd90b97af4c6bcdfee36fad24b4cf382be9314d58532acc0db0c7b37b
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Changes autostart functionality of drives

Changes the view of files in windows explorer (hidden files and folders)

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates autorun.inf (USB autostart)

Creates multiple autostart registry keys

Deletes keys related to Windows Defender

Deletes keys which are related to windows safe boot (disables safe mode boot)

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Disables Windows Defender (deletes autostart)

Disables the Windows registry editor (regedit)

Disables user account control notifications

Drops executables to the windows directory (C:\Windows) and starts them

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to resolve many domain names, but no domain seems valid

Abnormal high CPU Usage

Connects to many different domains

Connects to several IPs in different countries

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May check the online IP address of the machine

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

HqvlYZC7Gf.exe (PID: 2328 cmdline: "C:\Users\user\Desktop\HqvlYZC7Gf.exe" MD5: 2CDB760530EC92B79EE2BF80371CAC90)

takyouhoymc.exe (PID: 4740 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe*" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

zjisvko.exe (PID: 7864 cmdline: "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe" MD5: 6B760F8FDCB57B4FEFC1487B46EF20CD)

zjisvko.exe (PID: 4148 cmdline: "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe" MD5: 6B760F8FDCB57B4FEFC1487B46EF20CD)

takyouhoymc.exe (PID: 7272 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 3020 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 1996 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 4852 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 5824 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 4808 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 1072 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 5084 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 2052 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 6652 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 460 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 4880 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 6484 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 2156 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe" MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 6304 cmdline: MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

takyouhoymc.exe (PID: 7232 cmdline: MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

ojtoccrezqmarmjwql.exe (PID: 7816 cmdline: "C:\Windows\ojtoccrezqmarmjwql.exe" . MD5: 2CDB760530EC92B79EE2BF80371CAC90)

takyouhoymc.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\ojtoccrezqmarmjwql.exe*." MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

bzmkbewmkeduommczxkiz.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe" . MD5: 2CDB760530EC92B79EE2BF80371CAC90)

takyouhoymc.exe (PID: 7536 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\bzmkbewmkeduommczxkiz.exe*." MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

mjvsikbqngeunkjyurda.exe (PID: 820 cmdline: "C:\Windows\mjvsikbqngeunkjyurda.exe" . MD5: 2CDB760530EC92B79EE2BF80371CAC90)

takyouhoymc.exe (PID: 5528 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\mjvsikbqngeunkjyurda.exe*." MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

mjvsikbqngeunkjyurda.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe" . MD5: 2CDB760530EC92B79EE2BF80371CAC90)

takyouhoymc.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\mjvsikbqngeunkjyurda.exe*." MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

yrzsecpaticodwrc.exe (PID: 5504 cmdline: "C:\Windows\yrzsecpaticodwrc.exe" MD5: 2CDB760530EC92B79EE2BF80371CAC90)

fzicpocoiytgwqmyr.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe" MD5: 2CDB760530EC92B79EE2BF80371CAC90)

mjvsikbqngeunkjyurda.exe (PID: 6276 cmdline: "C:\Windows\mjvsikbqngeunkjyurda.exe" MD5: 2CDB760530EC92B79EE2BF80371CAC90)

fzicpocoiytgwqmyr.exe (PID: 6392 cmdline: "C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe" MD5: 2CDB760530EC92B79EE2BF80371CAC90)

yrzsecpaticodwrc.exe (PID: 4376 cmdline: "C:\Windows\yrzsecpaticodwrc.exe" . MD5: 2CDB760530EC92B79EE2BF80371CAC90)

takyouhoymc.exe (PID: 4580 cmdline: "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\yrzsecpaticodwrc.exe*." MD5: C2093FBC0B0C6BD085F3AB7056BA31F5)

cleanup

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe, ProcessId: 4740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qfjygajqfqgo

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: zvgcrsiwskhwokiwrny.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe, ProcessId: 4740, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhneokveviakxo

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: yrzsecpaticodwrc.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe, ProcessId: 4740, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfjygajqfqgo

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-15T15:39:25.100253+0200	2018141	1	A Network Trojan was detected	35.164.78.200	80	192.168.11.30	49818	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-15T15:39:25.100253+0200	2037771	1	A Network Trojan was detected	35.164.78.200	80	192.168.11.30	49818	TCP

ET MALWARE Win32/Pykspa.C Public IP Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-15T15:39:04.516532+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49799	104.19.223.79	80	TCP
2024-10-15T15:39:05.944586+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49800	172.67.155.175	80	TCP
2024-10-15T15:39:09.546757+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49803	104.19.223.79	80	TCP
2024-10-15T15:39:10.856018+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49804	104.19.223.79	80	TCP
2024-10-15T15:39:12.302442+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49805	104.27.206.92	80	TCP
2024-10-15T15:39:17.912787+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49810	104.27.206.92	80	TCP
2024-10-15T15:39:21.359177+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49813	104.27.206.92	80	TCP
2024-10-15T15:39:22.660608+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49814	104.19.223.79	80	TCP
2024-10-15T15:39:25.001188+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49820	104.19.223.79	80	TCP
2024-10-15T15:39:26.307764+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49822	104.27.206.92	80	TCP
2024-10-15T15:39:29.880511+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49827	104.19.223.79	80	TCP
2024-10-15T15:39:33.208180+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49831	104.19.223.79	80	TCP
2024-10-15T15:39:34.503486+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49833	172.67.155.175	80	TCP
2024-10-15T15:39:35.819415+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49834	104.19.223.79	80	TCP
2024-10-15T15:39:38.405222+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49838	104.27.207.92	80	TCP
2024-10-15T15:39:40.725141+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49842	172.67.155.175	80	TCP
2024-10-15T15:39:42.019421+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49843	104.27.207.92	80	TCP
2024-10-15T15:39:43.319151+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49844	104.19.223.79	80	TCP
2024-10-15T15:39:45.762930+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49848	104.27.207.92	80	TCP
2024-10-15T15:39:47.050668+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49850	104.27.207.92	80	TCP
2024-10-15T15:39:48.354841+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49851	104.19.223.79	80	TCP
2024-10-15T15:39:49.639115+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49853	104.19.223.79	80	TCP
2024-10-15T15:39:51.457160+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49856	104.27.207.92	80	TCP
2024-10-15T15:39:52.748770+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49859	172.67.155.175	80	TCP
2024-10-15T15:39:55.210914+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49861	104.27.207.92	80	TCP
2024-10-15T15:39:56.540651+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49862	104.27.207.92	80	TCP
2024-10-15T15:40:00.123881+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49867	172.67.155.175	80	TCP
2024-10-15T15:40:03.478251+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49871	172.67.155.175	80	TCP
2024-10-15T15:40:05.929226+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49875	104.27.207.92	80	TCP
2024-10-15T15:40:08.247126+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49877	104.19.223.79	80	TCP
2024-10-15T15:40:10.687194+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49880	172.67.155.175	80	TCP
2024-10-15T15:40:12.037433+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49882	104.27.207.92	80	TCP
2024-10-15T15:40:14.497426+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49885	104.27.207.92	80	TCP
2024-10-15T15:40:15.793845+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49887	104.27.207.92	80	TCP
2024-10-15T15:40:18.490635+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49892	104.27.207.92	80	TCP
2024-10-15T15:40:19.798795+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49894	172.67.155.175	80	TCP
2024-10-15T15:40:21.109031+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49896	104.19.223.79	80	TCP
2024-10-15T15:40:22.406157+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49897	104.27.207.92	80	TCP
2024-10-15T15:40:24.894183+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49901	104.27.207.92	80	TCP
2024-10-15T15:40:27.208180+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49904	104.19.223.79	80	TCP
2024-10-15T15:40:28.506677+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49905	172.67.155.175	80	TCP
2024-10-15T15:40:30.950610+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49909	172.67.155.175	80	TCP
2024-10-15T15:40:33.272161+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49913	172.67.155.175	80	TCP
2024-10-15T15:40:34.592839+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49914	172.67.155.175	80	TCP
2024-10-15T15:40:35.899228+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49915	104.27.207.92	80	TCP
2024-10-15T15:40:38.335973+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49919	104.19.223.79	80	TCP
2024-10-15T15:40:41.681987+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49924	104.19.223.79	80	TCP
2024-10-15T15:40:43.573656+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49927	172.67.155.175	80	TCP
2024-10-15T15:40:47.294589+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49932	104.27.207.92	80	TCP
2024-10-15T15:40:50.649816+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49937	104.19.223.79	80	TCP
2024-10-15T15:40:53.821856+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49941	104.19.223.79	80	TCP
2024-10-15T15:40:57.267600+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49945	172.67.155.175	80	TCP
2024-10-15T15:41:03.892130+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49954	104.19.223.79	80	TCP
2024-10-15T15:41:07.467550+0200	2018773	1	A Network Trojan was detected	192.168.11.30	49959	104.19.223.79	80	TCP

ETPRO MALWARE Common Downloader Header Pattern General HAUC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-15T15:39:04.516532+0200	2803307	3	Unknown Traffic	192.168.11.30	49799	104.19.223.79	80	TCP
2024-10-15T15:39:05.944586+0200	2803307	3	Unknown Traffic	192.168.11.30	49800	172.67.155.175	80	TCP
2024-10-15T15:39:09.546757+0200	2803307	3	Unknown Traffic	192.168.11.30	49803	104.19.223.79	80	TCP
2024-10-15T15:39:10.856018+0200	2803307	3	Unknown Traffic	192.168.11.30	49804	104.19.223.79	80	TCP
2024-10-15T15:39:12.302442+0200	2803307	3	Unknown Traffic	192.168.11.30	49805	104.27.206.92	80	TCP
2024-10-15T15:39:17.912787+0200	2803307	3	Unknown Traffic	192.168.11.30	49810	104.27.206.92	80	TCP
2024-10-15T15:39:21.359177+0200	2803307	3	Unknown Traffic	192.168.11.30	49813	104.27.206.92	80	TCP
2024-10-15T15:39:22.660608+0200	2803307	3	Unknown Traffic	192.168.11.30	49814	104.19.223.79	80	TCP
2024-10-15T15:39:24.111158+0200	2803307	3	Unknown Traffic	192.168.11.30	49815	34.111.176.156	80	TCP
2024-10-15T15:39:24.718814+0200	2803307	3	Unknown Traffic	192.168.11.30	49819	31.13.67.35	80	TCP
2024-10-15T15:39:24.820055+0200	2803307	3	Unknown Traffic	192.168.11.30	49818	35.164.78.200	80	TCP
2024-10-15T15:39:25.001188+0200	2803307	3	Unknown Traffic	192.168.11.30	49820	104.19.223.79	80	TCP
2024-10-15T15:39:26.307764+0200	2803307	3	Unknown Traffic	192.168.11.30	49822	104.27.206.92	80	TCP
2024-10-15T15:39:26.339356+0200	2803307	3	Unknown Traffic	192.168.11.30	49821	85.214.228.140	80	TCP
2024-10-15T15:39:29.201995+0200	2803307	3	Unknown Traffic	192.168.11.30	49825	208.100.26.245	80	TCP
2024-10-15T15:39:29.880511+0200	2803307	3	Unknown Traffic	192.168.11.30	49827	104.19.223.79	80	TCP
2024-10-15T15:39:33.208180+0200	2803307	3	Unknown Traffic	192.168.11.30	49831	104.19.223.79	80	TCP
2024-10-15T15:39:34.503486+0200	2803307	3	Unknown Traffic	192.168.11.30	49833	172.67.155.175	80	TCP
2024-10-15T15:39:35.819415+0200	2803307	3	Unknown Traffic	192.168.11.30	49834	104.19.223.79	80	TCP
2024-10-15T15:39:38.405222+0200	2803307	3	Unknown Traffic	192.168.11.30	49838	104.27.207.92	80	TCP
2024-10-15T15:39:40.725141+0200	2803307	3	Unknown Traffic	192.168.11.30	49842	172.67.155.175	80	TCP
2024-10-15T15:39:42.019421+0200	2803307	3	Unknown Traffic	192.168.11.30	49843	104.27.207.92	80	TCP
2024-10-15T15:39:43.319151+0200	2803307	3	Unknown Traffic	192.168.11.30	49844	104.19.223.79	80	TCP
2024-10-15T15:39:45.762930+0200	2803307	3	Unknown Traffic	192.168.11.30	49848	104.27.207.92	80	TCP
2024-10-15T15:39:47.050668+0200	2803307	3	Unknown Traffic	192.168.11.30	49850	104.27.207.92	80	TCP
2024-10-15T15:39:48.354841+0200	2803307	3	Unknown Traffic	192.168.11.30	49851	104.19.223.79	80	TCP
2024-10-15T15:39:49.639115+0200	2803307	3	Unknown Traffic	192.168.11.30	49853	104.19.223.79	80	TCP
2024-10-15T15:39:51.158491+0200	2803307	3	Unknown Traffic	192.168.11.30	49855	18.64.172.225	80	TCP
2024-10-15T15:39:51.457160+0200	2803307	3	Unknown Traffic	192.168.11.30	49856	104.27.207.92	80	TCP
2024-10-15T15:39:52.748770+0200	2803307	3	Unknown Traffic	192.168.11.30	49859	172.67.155.175	80	TCP
2024-10-15T15:39:55.210914+0200	2803307	3	Unknown Traffic	192.168.11.30	49861	104.27.207.92	80	TCP
2024-10-15T15:39:56.540651+0200	2803307	3	Unknown Traffic	192.168.11.30	49862	104.27.207.92	80	TCP
2024-10-15T15:40:00.123881+0200	2803307	3	Unknown Traffic	192.168.11.30	49867	172.67.155.175	80	TCP
2024-10-15T15:40:03.478251+0200	2803307	3	Unknown Traffic	192.168.11.30	49871	172.67.155.175	80	TCP
2024-10-15T15:40:05.929226+0200	2803307	3	Unknown Traffic	192.168.11.30	49875	104.27.207.92	80	TCP
2024-10-15T15:40:08.247126+0200	2803307	3	Unknown Traffic	192.168.11.30	49877	104.19.223.79	80	TCP
2024-10-15T15:40:10.687194+0200	2803307	3	Unknown Traffic	192.168.11.30	49880	172.67.155.175	80	TCP
2024-10-15T15:40:12.037433+0200	2803307	3	Unknown Traffic	192.168.11.30	49882	104.27.207.92	80	TCP
2024-10-15T15:40:14.497426+0200	2803307	3	Unknown Traffic	192.168.11.30	49885	104.27.207.92	80	TCP
2024-10-15T15:40:15.793845+0200	2803307	3	Unknown Traffic	192.168.11.30	49887	104.27.207.92	80	TCP
2024-10-15T15:40:17.183166+0200	2803307	3	Unknown Traffic	192.168.11.30	49889	18.64.172.225	80	TCP
2024-10-15T15:40:18.490635+0200	2803307	3	Unknown Traffic	192.168.11.30	49892	104.27.207.92	80	TCP
2024-10-15T15:40:19.798795+0200	2803307	3	Unknown Traffic	192.168.11.30	49894	172.67.155.175	80	TCP
2024-10-15T15:40:21.109031+0200	2803307	3	Unknown Traffic	192.168.11.30	49896	104.19.223.79	80	TCP
2024-10-15T15:40:22.406157+0200	2803307	3	Unknown Traffic	192.168.11.30	49897	104.27.207.92	80	TCP
2024-10-15T15:40:24.894183+0200	2803307	3	Unknown Traffic	192.168.11.30	49901	104.27.207.92	80	TCP
2024-10-15T15:40:27.208180+0200	2803307	3	Unknown Traffic	192.168.11.30	49904	104.19.223.79	80	TCP
2024-10-15T15:40:28.506677+0200	2803307	3	Unknown Traffic	192.168.11.30	49905	172.67.155.175	80	TCP
2024-10-15T15:40:30.950610+0200	2803307	3	Unknown Traffic	192.168.11.30	49909	172.67.155.175	80	TCP
2024-10-15T15:40:33.272161+0200	2803307	3	Unknown Traffic	192.168.11.30	49913	172.67.155.175	80	TCP
2024-10-15T15:40:34.592839+0200	2803307	3	Unknown Traffic	192.168.11.30	49914	172.67.155.175	80	TCP
2024-10-15T15:40:35.899228+0200	2803307	3	Unknown Traffic	192.168.11.30	49915	104.27.207.92	80	TCP
2024-10-15T15:40:38.335973+0200	2803307	3	Unknown Traffic	192.168.11.30	49919	104.19.223.79	80	TCP
2024-10-15T15:40:41.681987+0200	2803307	3	Unknown Traffic	192.168.11.30	49924	104.19.223.79	80	TCP
2024-10-15T15:40:43.251312+0200	2803307	3	Unknown Traffic	192.168.11.30	49926	151.101.128.81	80	TCP
2024-10-15T15:40:43.573656+0200	2803307	3	Unknown Traffic	192.168.11.30	49927	172.67.155.175	80	TCP
2024-10-15T15:40:47.294589+0200	2803307	3	Unknown Traffic	192.168.11.30	49932	104.27.207.92	80	TCP
2024-10-15T15:40:50.649816+0200	2803307	3	Unknown Traffic	192.168.11.30	49937	104.19.223.79	80	TCP
2024-10-15T15:40:53.821856+0200	2803307	3	Unknown Traffic	192.168.11.30	49941	104.19.223.79	80	TCP
2024-10-15T15:40:57.267600+0200	2803307	3	Unknown Traffic	192.168.11.30	49945	172.67.155.175	80	TCP
2024-10-15T15:41:03.892130+0200	2803307	3	Unknown Traffic	192.168.11.30	49954	104.19.223.79	80	TCP
2024-10-15T15:41:07.467550+0200	2803307	3	Unknown Traffic	192.168.11.30	49959	104.19.223.79	80	TCP

ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-15T15:39:04.516532+0200	2803306	3	Unknown Traffic	192.168.11.30	49799	104.19.223.79	80	TCP
2024-10-15T15:39:05.944586+0200	2803306	3	Unknown Traffic	192.168.11.30	49800	172.67.155.175	80	TCP
2024-10-15T15:39:09.546757+0200	2803306	3	Unknown Traffic	192.168.11.30	49803	104.19.223.79	80	TCP
2024-10-15T15:39:10.856018+0200	2803306	3	Unknown Traffic	192.168.11.30	49804	104.19.223.79	80	TCP
2024-10-15T15:39:12.302442+0200	2803306	3	Unknown Traffic	192.168.11.30	49805	104.27.206.92	80	TCP
2024-10-15T15:39:17.912787+0200	2803306	3	Unknown Traffic	192.168.11.30	49810	104.27.206.92	80	TCP
2024-10-15T15:39:21.359177+0200	2803306	3	Unknown Traffic	192.168.11.30	49813	104.27.206.92	80	TCP
2024-10-15T15:39:22.660608+0200	2803306	3	Unknown Traffic	192.168.11.30	49814	104.19.223.79	80	TCP
2024-10-15T15:39:24.111158+0200	2803306	3	Unknown Traffic	192.168.11.30	49815	34.111.176.156	80	TCP
2024-10-15T15:39:24.718814+0200	2803306	3	Unknown Traffic	192.168.11.30	49819	31.13.67.35	80	TCP
2024-10-15T15:39:24.820055+0200	2803306	3	Unknown Traffic	192.168.11.30	49818	35.164.78.200	80	TCP
2024-10-15T15:39:25.001188+0200	2803306	3	Unknown Traffic	192.168.11.30	49820	104.19.223.79	80	TCP
2024-10-15T15:39:26.307764+0200	2803306	3	Unknown Traffic	192.168.11.30	49822	104.27.206.92	80	TCP
2024-10-15T15:39:26.339356+0200	2803306	3	Unknown Traffic	192.168.11.30	49821	85.214.228.140	80	TCP
2024-10-15T15:39:29.201995+0200	2803306	3	Unknown Traffic	192.168.11.30	49825	208.100.26.245	80	TCP
2024-10-15T15:39:29.880511+0200	2803306	3	Unknown Traffic	192.168.11.30	49827	104.19.223.79	80	TCP
2024-10-15T15:39:33.208180+0200	2803306	3	Unknown Traffic	192.168.11.30	49831	104.19.223.79	80	TCP
2024-10-15T15:39:34.503486+0200	2803306	3	Unknown Traffic	192.168.11.30	49833	172.67.155.175	80	TCP
2024-10-15T15:39:35.819415+0200	2803306	3	Unknown Traffic	192.168.11.30	49834	104.19.223.79	80	TCP
2024-10-15T15:39:38.405222+0200	2803306	3	Unknown Traffic	192.168.11.30	49838	104.27.207.92	80	TCP
2024-10-15T15:39:40.725141+0200	2803306	3	Unknown Traffic	192.168.11.30	49842	172.67.155.175	80	TCP
2024-10-15T15:39:42.019421+0200	2803306	3	Unknown Traffic	192.168.11.30	49843	104.27.207.92	80	TCP
2024-10-15T15:39:43.319151+0200	2803306	3	Unknown Traffic	192.168.11.30	49844	104.19.223.79	80	TCP
2024-10-15T15:39:45.762930+0200	2803306	3	Unknown Traffic	192.168.11.30	49848	104.27.207.92	80	TCP
2024-10-15T15:39:47.050668+0200	2803306	3	Unknown Traffic	192.168.11.30	49850	104.27.207.92	80	TCP
2024-10-15T15:39:48.354841+0200	2803306	3	Unknown Traffic	192.168.11.30	49851	104.19.223.79	80	TCP
2024-10-15T15:39:49.639115+0200	2803306	3	Unknown Traffic	192.168.11.30	49853	104.19.223.79	80	TCP
2024-10-15T15:39:51.158491+0200	2803306	3	Unknown Traffic	192.168.11.30	49855	18.64.172.225	80	TCP
2024-10-15T15:39:51.457160+0200	2803306	3	Unknown Traffic	192.168.11.30	49856	104.27.207.92	80	TCP
2024-10-15T15:39:52.748770+0200	2803306	3	Unknown Traffic	192.168.11.30	49859	172.67.155.175	80	TCP
2024-10-15T15:39:55.210914+0200	2803306	3	Unknown Traffic	192.168.11.30	49861	104.27.207.92	80	TCP
2024-10-15T15:39:56.540651+0200	2803306	3	Unknown Traffic	192.168.11.30	49862	104.27.207.92	80	TCP
2024-10-15T15:40:00.123881+0200	2803306	3	Unknown Traffic	192.168.11.30	49867	172.67.155.175	80	TCP
2024-10-15T15:40:03.478251+0200	2803306	3	Unknown Traffic	192.168.11.30	49871	172.67.155.175	80	TCP
2024-10-15T15:40:05.929226+0200	2803306	3	Unknown Traffic	192.168.11.30	49875	104.27.207.92	80	TCP
2024-10-15T15:40:08.247126+0200	2803306	3	Unknown Traffic	192.168.11.30	49877	104.19.223.79	80	TCP
2024-10-15T15:40:10.687194+0200	2803306	3	Unknown Traffic	192.168.11.30	49880	172.67.155.175	80	TCP
2024-10-15T15:40:12.037433+0200	2803306	3	Unknown Traffic	192.168.11.30	49882	104.27.207.92	80	TCP
2024-10-15T15:40:14.497426+0200	2803306	3	Unknown Traffic	192.168.11.30	49885	104.27.207.92	80	TCP
2024-10-15T15:40:15.793845+0200	2803306	3	Unknown Traffic	192.168.11.30	49887	104.27.207.92	80	TCP
2024-10-15T15:40:17.183166+0200	2803306	3	Unknown Traffic	192.168.11.30	49889	18.64.172.225	80	TCP
2024-10-15T15:40:18.490635+0200	2803306	3	Unknown Traffic	192.168.11.30	49892	104.27.207.92	80	TCP
2024-10-15T15:40:19.798795+0200	2803306	3	Unknown Traffic	192.168.11.30	49894	172.67.155.175	80	TCP
2024-10-15T15:40:21.109031+0200	2803306	3	Unknown Traffic	192.168.11.30	49896	104.19.223.79	80	TCP
2024-10-15T15:40:22.406157+0200	2803306	3	Unknown Traffic	192.168.11.30	49897	104.27.207.92	80	TCP
2024-10-15T15:40:24.894183+0200	2803306	3	Unknown Traffic	192.168.11.30	49901	104.27.207.92	80	TCP
2024-10-15T15:40:27.208180+0200	2803306	3	Unknown Traffic	192.168.11.30	49904	104.19.223.79	80	TCP
2024-10-15T15:40:28.506677+0200	2803306	3	Unknown Traffic	192.168.11.30	49905	172.67.155.175	80	TCP
2024-10-15T15:40:30.950610+0200	2803306	3	Unknown Traffic	192.168.11.30	49909	172.67.155.175	80	TCP
2024-10-15T15:40:33.272161+0200	2803306	3	Unknown Traffic	192.168.11.30	49913	172.67.155.175	80	TCP
2024-10-15T15:40:34.592839+0200	2803306	3	Unknown Traffic	192.168.11.30	49914	172.67.155.175	80	TCP
2024-10-15T15:40:35.899228+0200	2803306	3	Unknown Traffic	192.168.11.30	49915	104.27.207.92	80	TCP
2024-10-15T15:40:38.335973+0200	2803306	3	Unknown Traffic	192.168.11.30	49919	104.19.223.79	80	TCP
2024-10-15T15:40:41.681987+0200	2803306	3	Unknown Traffic	192.168.11.30	49924	104.19.223.79	80	TCP
2024-10-15T15:40:43.251312+0200	2803306	3	Unknown Traffic	192.168.11.30	49926	151.101.128.81	80	TCP
2024-10-15T15:40:43.573656+0200	2803306	3	Unknown Traffic	192.168.11.30	49927	172.67.155.175	80	TCP
2024-10-15T15:40:47.294589+0200	2803306	3	Unknown Traffic	192.168.11.30	49932	104.27.207.92	80	TCP
2024-10-15T15:40:50.649816+0200	2803306	3	Unknown Traffic	192.168.11.30	49937	104.19.223.79	80	TCP
2024-10-15T15:40:53.821856+0200	2803306	3	Unknown Traffic	192.168.11.30	49941	104.19.223.79	80	TCP
2024-10-15T15:40:57.267600+0200	2803306	3	Unknown Traffic	192.168.11.30	49945	172.67.155.175	80	TCP
2024-10-15T15:41:03.892130+0200	2803306	3	Unknown Traffic	192.168.11.30	49954	104.19.223.79	80	TCP
2024-10-15T15:41:07.467550+0200	2803306	3	Unknown Traffic	192.168.11.30	49959	104.19.223.79	80	TCP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-15T15:40:13.895775+0200	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.11.30	61373	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HqvlYZC7Gf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\ylnagyfkxg.bat	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Avira: detection malicious, Label: TR/Agent.327680.A
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\qfjygajqfqgo.bat	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\qhneokveviakxo.bat	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Avira: detection malicious, Label: TR/Agent.327680.A
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj
Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Avira: detection malicious, Label: TR/Drop.Agent.bjxj

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\bzmkbewmkeduommczxkiz.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\fzicpocoiytgwqmyr.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\mjvsikbqngeunkjyurda.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\ojtoccrezqmarmjwql.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\srfewatkjeewrqrigftsko.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\yrzsecpaticodwrc.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\zvgcrsiwskhwokiwrny.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\bzmkbewmkeduommczxkiz.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\fzicpocoiytgwqmyr.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\ojtoccrezqmarmjwql.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\srfewatkjeewrqrigftsko.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\yrzsecpaticodwrc.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\zvgcrsiwskhwokiwrny.exe	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: HqvlYZC7Gf.exe

ReversingLabs: Detection: 97%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Joe Sandbox ML: detected
Source: C:\ylnagyfkxg.bat	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Joe Sandbox ML: detected
Source: C:\qfjygajqfqgo.bat	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Joe Sandbox ML: detected
Source: C:\qhneokveviakxo.bat	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HqvlYZC7Gf.exe

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.11.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.10:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.11.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.11.10:445	Jump to behavior

Source: HqvlYZC7Gf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading

Changes autostart functionality of drives

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun

Jump to behavior

Creates autorun.inf (USB autostart)

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

File created: C:\autorun.inf

Jump to behavior

Source: zjisvko.exe, 00000004.00000002.208997558580.000000000416A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: C:\autorun.inf
Source: zjisvko.exe, 00000004.00000002.208997558580.000000000416A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: [AutoRun]
Source: zjisvko.exe, 00000004.00000002.208997558580.000000000416A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ylnagyfkxg.batyrzsecpaticodwrcunvoaylwpeykzsnyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcanybjgop.exeC:\autorun.inf,
Source: autorun.inf.4.dr	Binary or memory string: [AutoRun]

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	2_2_00407850
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	2_2_00401000
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	2_2_00414883
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_00408912
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	2_2_00407259
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	2_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	2_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	2_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_00406718
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00407850 lstrlenA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00407850
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	4_2_00414883
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	4_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00406718 lstrcmpiA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	4_2_00406718
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00401000 lstrcatA,lstrcpyA,Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00408912 Sleep,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	4_2_00408912
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00407259 Sleep,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	4_2_00407259
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00407D1E lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	4_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	4_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	5_2_00406718
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_00407850
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	5_2_00401000
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	5_2_00414883
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	5_2_00408912
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	5_2_00407259
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	5_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	5_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	5_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	5_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	19_2_00407850
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	19_2_00401000
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	19_2_00414883
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	19_2_00408912
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	19_2_00407259
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	19_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	19_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	19_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	19_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	19_2_00406718

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_004069AA GetLogicalDriveStringsA,Sleep,lstrcpyA,lstrlenA,

2_2_004069AA

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49833 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49799 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49804 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49820 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49803 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49800 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49814 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49805 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49813 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49810 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49831 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49827 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49859 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49822 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49834 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49838 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49844 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49842 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49850 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49871 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49856 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49843 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49851 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49853 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49861 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49882 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49875 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49867 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49880 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49848 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49905 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49877 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49887 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49862 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49901 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49885 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49909 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49904 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49924 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49894 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49896 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49913 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49932 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49914 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49937 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49892 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49897 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49945 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49915 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49959 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49954 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49919 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49927 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2018773 - Severity 1 - ET MALWARE Win32/Pykspa.C Public IP Check : 192.168.11.30:49941 -> 104.19.223.79:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 78.63.102.38 ports 19742,1,2,4,7,9
Source: global traffic	TCP traffic: 212.75.9.215 ports 1,3,4,6,31946,9

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: ikvzsyc.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nwdyhujtzi.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: awbabah.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yydylwx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iilirx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qaciphd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bsnmkqvxz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wuzupehil.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vjvslqxmv.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iqiuqeui.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wqwmek.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yzbiymneerj.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nxctobwc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jefodozzl.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uqgtbor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cgzmkaoqtpr.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pnmplsbbix.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yxeqglor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mfxrrezr.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ooqfgvnllbdj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lhlsksy.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bqyuiihdvkwp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zwphhjux.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: igpcvkvzb.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mhposkbsmfgm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pycyjn.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jwlihfftrqf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nifigom.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: musmgsaw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aulokytqd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xssrxcm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vispyytg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qhxaqmz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xvhkkg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wtflhxja.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: urtmvkx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nqhldiaq.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tbyoyvhnfv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bqtaiujbh.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: spyutmxdvvrw.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: swnmtyjsf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pomobah.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fakljq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fygwaqxgysw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kvywsfyj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bkeybclmy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: umcaqskg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: quivwopczbfy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sizbtf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ffofvkbozxfp.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vumilurpoatl.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jnqmtia.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqlmrcbc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: agfqpjgnocco.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kgswyswsms.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dsklbkmbbx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dieqnoxgfoxb.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ozsqpqy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ogeltrlncszo.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: egvabsriwel.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ucrxnssd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iffkftv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gurklthyhkv.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jqxkxrg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: voqtbrbz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cqockgwssaik.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qiaykqoaqe.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tdfenz.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rafoaiduv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jcfzmn.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: htdnxe.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ucrkhizrjle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xffltdug.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hzsnry.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bmpdmba.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vafyutroz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: puvxcbhx.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mscaguoqykue.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cecitmbetwe.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gbekjlws.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ystygahkl.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zpryru.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.whatismyip.ca replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eobhpynq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dadqeqrbmhkp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zncepwjkjm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ayocmawe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: savdog.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ktljlgcrkwv.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hintqdku.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jctcln.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nercgrv.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: suzetmnq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uivmnckkpij.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nzmtkansch.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hamsvogno.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: txflaunynf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pxmwgq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gwcisuuo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tqfbxlwpvsip.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zfzerwlmxkg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lwlihog.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jovzeem.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tkhcfkf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dcbeeq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sgdyfbvwe.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yhonummhox.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rcxvkunydmr.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dzxsldit.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aamsoqwekwec.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdrmqone.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tlbiku.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: akyndev.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xfbeqk.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jgrfdugjau.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ukamqol.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vacovcj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zaplzz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ygqeguwiogqi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rdnmtqyabal.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uuiwkq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jexwxsd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kkakqqayhyu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oasmcuggak.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: khhwhgysu.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: igousuia.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hcjufqt.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gmwsmkuo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oasiou.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wkzfaedg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ufvxhp.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qemkas.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kyszrzmuawj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: akzktct.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pcvsdovpp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ocndbcf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pmbixadyny.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tqpudini.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iaqmeowe.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iavgymgybax.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oqecuy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bonydwj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fnvcomt.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hcgosj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ulfcsvuc.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vsmntqmv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cspcpap.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vopsaqf.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fyuftjcbykxh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: giglhwhuby.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: skpxwstkygr.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ldziatjs.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: onlmeofrwh.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jtbancuulki.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rusadzqvki.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pzhnljvmfru.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cewoiimcwmow.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqrglipkoyb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rihbjuh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vafwzud.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bcnuzzk.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tqpofcjab.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sakmwmeuukis.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: huocyhaakf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bwvwvtkesnht.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ditidgffs.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zohogepxhih.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uscpqm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mgkssskeic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ciqcimgqce.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mdabnbhqftj.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cvpprc.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gsdusg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fltebaltkwm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ntcgvuryjee.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lsnsgqnhjek.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zmzaasi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cukqaeyggw.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kiuwsu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: upvncjsnxw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hlrqvyg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sxwhjlvgpu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fduvhdv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nllqlqfxanom.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jbvspwqifcl.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hevkrkpespf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sopgmznouqlh.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xilsfdgn.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ywzcjat.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uagoeg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: llymgadj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wofeuyik.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pnraibr.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kqpsemrav.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zryswp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vwddzjzgjozz.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fdnkvsylwiz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ybwgqhqrij.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bgiqmzak.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ttnbfk.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mcuklboyykac.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qsiwcddk.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: habozmd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: scpzbmxklu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lpysix.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kwslgsua.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lzemrstoe.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ahpirreonw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tchyfuocxrc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: trpwlxg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wccbxqqoyoy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: drpgrw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jubkwv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cywqlsx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mepqfzed.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fexrcuretv.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xmvcfdcsymv.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aubohelcvlm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: otmccjnozm.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yjtugxbx.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gvsvxirhjhmc.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: blygpfuqsf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: amvrxrvzrwqn.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sanyfyesvat.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whatismyip.everdot.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dilmlovovkn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mgjyyduwwax.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xixshgqsnxdm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: neklmjvt.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: otykmmxuwhs.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ebzwtwgch.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uweeaaosgi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pqkcuqqnpqd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eedijewjab.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fiyhxjvgsqb.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kepiqy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qycosiiiykcy.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: koindl.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lwsned.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: swswoussmc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eqarlsfwjfba.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hagojezpc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fxzpqzqd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hoacxkhcaot.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ovmlyfsbvepf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ykvsdehnbic.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gifjwknnsa.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kqpxtsgpzx.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bqwstab.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: coxovsu.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nhblvtkhsosr.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lozupqunl.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hfmmrpaa.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jcyusd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: horzaw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eukvpt.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: owfvaiicb.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pguuxfdjxm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xkntthpajft.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ksqeyvwh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smtcrrm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: niyutxia.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vwuhtwjkiukd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rnrbzaiv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cyldvylo.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: djlijkrol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ykydrbpoxqpu.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aipoxmkfh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qkwcuasm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rboarkztdep.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: agakymgcigsw.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eabmqsykas.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fkfstwvpdih.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: trmpbuwu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hiuqnlsktyn.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xnsamtpm.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cwbmhpaqjfw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: egwkmsqm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yqwmiy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: flmbvdibho.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pqjmoi.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zszagqbuxtu.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ejguppjem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hiazdcy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ocowiwigou.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xthmhc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nocrzsq.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cmixxszxrf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bowmbsngr.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vupjfqd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: isagooiqeu.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xuaibkgv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uzpknqpehid.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mmfljcduuiq.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rjmynwz.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: faasdt.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mackgqecao.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ptxmhgbxv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: terdonh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hztehanu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: emxwaolfpmi.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dyhkxxkggdd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nrayothh.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: igkawu.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oqiqgawygycg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kuceigmowq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: icdthcm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ggsukwasb.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: evftriicx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ohtkxxg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tmdlhcf.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dekwdrys.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rozslge.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ekojonrx.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ryxedahgvtlu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: emrmaigh.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pgglnkael.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jrqwzahcxma.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qbhdsh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jcasyzwnyb.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tyruco.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pspexyjytqa.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: meyuyaewaogs.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mkouldrk.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rfqpbojltq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xqhrxqoh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vjjuxotcr.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qqbnhgbsqxd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vgpckslqq.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bsvkxs.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vgybvjppdvve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kiooigv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mimmqwaykqia.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eyngxwxvv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xroqdulwju.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lkqdmkckr.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ccwsnub.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nkrqzg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nsnqdit.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ryxqnubutjv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qstyvuo.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kgsysa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rsgzts.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hzxvah.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cceywm.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ihpimdxy.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vmasuhbokayf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hdtuhunof.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strpoehe.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: msrrjwyrm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: deroocmofof.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gtpyhzzsrd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: phwbulosja.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qodrrrzehko.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ngtlglf.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gorfnmtwasl.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pqdwhoyqfyr.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cufjtiyoj.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qayaswom.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftpehwlaf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dwpqgivmpx.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wljitkmmrsq.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eumiqrniuuj.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hayarmmbzyv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: revndeg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bgkwjol.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pmblwd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cnzthi.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mwgyka.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: koqaswsiic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: teewxe.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: buzxzusv.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bwvdpivgkbq.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kapmdmvanjh.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pznkbhqy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dskcygp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nwtltucdgxci.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wlsgkd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bgzsdevk.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: umwqai.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: osxpaprezyg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: agvocmd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nbbghscbn.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aqwogctkcig.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fgryrzlwv.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uugiiqomoa.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: magkesswuu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fmpsoxtsv.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zyzubzht.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ksqlfmrx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waieucykau.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xjzmxageg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cobmtgsmfpx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mbrwiditjn.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qqikyaggkswy.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bnuclyrxygnf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftyayhvid.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wgiusyackwya.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zjkdtmzuul.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tjzaiyhoayd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nhzkbxtuxso.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pqqobu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gqiugkyksc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yiiemy.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mmvcfomuzgr.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zytaxmwmimp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqzbtyqilrby.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qmwoewqkaamo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zavcnar.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hyloumvvua.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yjhofwlx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ffxhdkyy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dkxmvos.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sfhqxtpgdcp.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wooovgmc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lkykrcllfknb.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kscoccomsc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zfrhqybxtdeg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rieoxvzxc.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bnkqoxtw.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kzzieqwxrfgm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: keyuqaco.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gshaoi.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pfqdbsyn.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dkuujwkup.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rigtmebyrwk.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pfzvtdg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vtbcnjvmwj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tawibizuloh.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nmubfz.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pzavkbwk.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iaimiwaw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: euuoqg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ybgddyiuljpt.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yumqcygsqk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wxxacjxlvl.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cxdmdldfv.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: saxwjjjeb.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kyhbvm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ksmggayg.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qrkcmaiuj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qedsben.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gsukcsgacuic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hosplypcd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: delnmynibhnu.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xofihfrimj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: teyrdsuc.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zuxymd.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wuhkrrpew.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ravbrdlcxepx.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lbrmhwh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wrdtfuwqu.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wcikfayz.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dekudc.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qledvhmwtgj.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uwpdwvsp.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: voisfho.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rreezoiqbg.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iogzpqtkbml.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bflthq.info replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 484

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	TCP traffic: 192.168.11.30:49817 -> 114.25.71.193:13918
Source: global traffic	TCP traffic: 192.168.11.30:49826 -> 178.90.73.188:22027
Source: global traffic	TCP traffic: 192.168.11.30:49832 -> 89.215.115.4:41100
Source: global traffic	TCP traffic: 192.168.11.30:49840 -> 41.47.39.184:33325
Source: global traffic	TCP traffic: 192.168.11.30:49849 -> 85.217.219.168:29925
Source: global traffic	TCP traffic: 192.168.11.30:49858 -> 212.75.9.215:31946
Source: global traffic	TCP traffic: 192.168.11.30:49874 -> 46.159.134.7:18849
Source: global traffic	TCP traffic: 192.168.11.30:49881 -> 188.114.42.197:44785
Source: global traffic	TCP traffic: 192.168.11.30:49891 -> 89.215.35.152:40089
Source: global traffic	TCP traffic: 192.168.11.30:49908 -> 78.63.102.38:19742

Source: global traffic

DNS traffic detected: number of DNS queries: 484

Source: Joe Sandbox View	IP Address: 35.164.78.200 35.164.78.200
Source: Joe Sandbox View	IP Address: 104.27.207.92 104.27.207.92

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: www.showmyipaddress.com
Source: unknown	DNS query: name: www.showmyipaddress.com
Source: unknown	DNS query: name: www.showmyipaddress.com
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.com
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.com
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca
Source: unknown	DNS query: name: www.whatismyip.ca

Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49833 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49799 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49833 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49799 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49800 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49804 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49800 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49804 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49820 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49820 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49803 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49803 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49814 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49814 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49813 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49805 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49805 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49821 -> 85.214.228.140:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49810 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49813 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49810 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49831 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49821 -> 85.214.228.140:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49815 -> 34.111.176.156:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49818 -> 35.164.78.200:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49815 -> 34.111.176.156:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49831 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49818 -> 35.164.78.200:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49819 -> 31.13.67.35:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49819 -> 31.13.67.35:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.11.30:49818
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.11.30:49818
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49827 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49827 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49859 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49859 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49822 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49822 -> 104.27.206.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49825 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49825 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49834 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49834 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49838 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49838 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49844 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49844 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49842 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49842 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49850 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49871 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49850 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49855 -> 18.64.172.225:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49871 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49855 -> 18.64.172.225:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49856 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49856 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49843 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49843 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49851 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49851 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49853 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49853 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49861 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49861 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49882 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49882 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49875 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49867 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49875 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49867 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49880 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49880 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49848 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49848 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49905 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49905 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49887 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49877 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49887 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49877 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49901 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49901 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49889 -> 18.64.172.225:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49862 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49862 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49889 -> 18.64.172.225:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49885 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.11.30:61373
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49885 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49909 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49909 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49904 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49904 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49894 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49924 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49894 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49924 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49896 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49896 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49926 -> 151.101.128.81:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49926 -> 151.101.128.81:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49913 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49913 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49932 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49932 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49914 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49914 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49937 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49937 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49892 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49892 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49897 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49897 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49945 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49945 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49915 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49915 -> 104.27.207.92:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49959 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49959 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49954 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49954 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49919 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49919 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49927 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49927 -> 172.67.155.175:80
Source: Network traffic	Suricata IDS: 2803306 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC : 192.168.11.30:49941 -> 104.19.223.79:80
Source: Network traffic	Suricata IDS: 2803307 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern General HAUC : 192.168.11.30:49941 -> 104.19.223.79:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.myspace.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lwbjtptjlzji.netAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.facebook.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: xhjwwgwd.infoAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: wsmpvwxb.infoAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.imdb.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.imdb.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 178.90.73.188
Source: unknown	TCP traffic detected without corresponding DNS query: 178.90.73.188
Source: unknown	TCP traffic detected without corresponding DNS query: 178.90.73.188
Source: unknown	TCP traffic detected without corresponding DNS query: 178.90.73.188
Source: unknown	TCP traffic detected without corresponding DNS query: 178.90.73.188
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.115.4
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.115.4
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.115.4
Source: unknown	TCP traffic detected without corresponding DNS query: 41.47.39.184
Source: unknown	TCP traffic detected without corresponding DNS query: 41.47.39.184
Source: unknown	TCP traffic detected without corresponding DNS query: 41.47.39.184
Source: unknown	TCP traffic detected without corresponding DNS query: 85.217.219.168
Source: unknown	TCP traffic detected without corresponding DNS query: 85.217.219.168
Source: unknown	TCP traffic detected without corresponding DNS query: 85.217.219.168
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.9.215
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.9.215
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.9.215
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.9.215
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.9.215
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.9.215
Source: unknown	TCP traffic detected without corresponding DNS query: 46.159.134.7
Source: unknown	TCP traffic detected without corresponding DNS query: 46.159.134.7
Source: unknown	TCP traffic detected without corresponding DNS query: 46.159.134.7
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.42.197
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.42.197
Source: unknown	TCP traffic detected without corresponding DNS query: 188.114.42.197
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.35.152
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.35.152
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.35.152
Source: unknown	TCP traffic detected without corresponding DNS query: 41.47.39.184
Source: unknown	TCP traffic detected without corresponding DNS query: 41.47.39.184
Source: unknown	TCP traffic detected without corresponding DNS query: 41.47.39.184
Source: unknown	TCP traffic detected without corresponding DNS query: 78.63.102.38
Source: unknown	TCP traffic detected without corresponding DNS query: 78.63.102.38
Source: unknown	TCP traffic detected without corresponding DNS query: 78.63.102.38
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 114.25.71.193
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.35.152
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.35.152
Source: unknown	TCP traffic detected without corresponding DNS query: 89.215.35.152
Source: unknown	TCP traffic detected without corresponding DNS query: 85.217.219.168
Source: unknown	TCP traffic detected without corresponding DNS query: 85.217.219.168

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_0040286C select,__WSAFDIsSet,recv,

2_2_0040286C

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.myspace.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lwbjtptjlzji.netAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.facebook.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: xhjwwgwd.infoAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: wsmpvwxb.infoAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.imdb.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.imdb.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.whatismyip.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.showmyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: /User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3Connection: close

Source: zjisvko.exe, 00000004.00000003.208156989045.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C#star-mini.c10r.facebook.comwww.facebook.com11Ln equals www.facebook.com (Facebook)
Source: zjisvko.exe, 00000004.00000003.208156989045.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C#star-mini.c10r.facebook.comwww.facebook.comstar-mini.c10r.facebook.comwww.facebook.comQQEn equals www.facebook.com (Facebook)
Source: zjisvko.exe, 00000004.00000003.208156989045.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sstar-mini.c10r.facebook.comwww.facebook.comw equals www.facebook.com (Facebook)
Source: zjisvko.exe, 00000004.00000003.208156857654.0000000000729000.00000004.00000020.00020000.00000000.sdmp, zjisvko.exe, 00000004.00000003.208156989045.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.facebook.com/ equals www.facebook.com (Facebook)
Source: zjisvko.exe, 00000004.00000003.208156857654.0000000000729000.00000004.00000020.00020000.00000000.sdmp, zjisvko.exe, 00000004.00000003.208156989045.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comw equals www.facebook.com (Facebook)
Source: zjisvko.exe, 00000004.00000003.208156857654.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.myspace.com equals www.myspace.com (Myspace)
Source: takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.myspace.com/ equals www.myspace.com (Myspace)
Source: takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: www.youtube.com/ equals www.youtube.com (Youtube)
Source: zjisvko.exe, 00000004.00000002.208991705724.000000000019F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com/www.wikipedia.org/www.blogger.com/www.adobe.com/www.http://whatismyipaddress.com/ equals www.youtube.com (Youtube)
Source: takyouhoymc.exe, 00000002.00000003.207821321275.0000000000636000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000002.00000000.207767291424.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.facebook.com (Facebook)
Source: takyouhoymc.exe, 00000002.00000003.207821321275.0000000000636000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000002.00000000.207767291424.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.myspace.com (Myspace)
Source: takyouhoymc.exe, 00000002.00000003.207821321275.0000000000636000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000002.00000000.207767291424.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.yahoo.com (Yahoo)
Source: takyouhoymc.exe, 00000002.00000003.207821321275.0000000000636000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000002.00000000.207767291424.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: xxwww.ebay.com/www.baidu.com/www.imdb.com/www.bbc.co.uk/www.adobe.com/www.blogger.com/www.wikipedia.org/www.yahoo.com/www.youtube.com/www.myspace.com/www.facebook.com/www.google.com/ .Shell""-shutdown -r equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: www.whatismyip.ca
Source: global traffic	DNS traffic detected: DNS query: whatismyip.everdot.org
Source: global traffic	DNS traffic detected: DNS query: whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: www.showmyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: www.whatismyip.com
Source: global traffic	DNS traffic detected: DNS query: www.myspace.com
Source: global traffic	DNS traffic detected: DNS query: lwbjtptjlzji.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: deroocmofof.org
Source: global traffic	DNS traffic detected: DNS query: fltebaltkwm.info
Source: global traffic	DNS traffic detected: DNS query: eukvpt.info
Source: global traffic	DNS traffic detected: DNS query: cdrmqone.net
Source: global traffic	DNS traffic detected: DNS query: xhjwwgwd.info
Source: global traffic	DNS traffic detected: DNS query: ggsukwasb.net
Source: global traffic	DNS traffic detected: DNS query: spyutmxdvvrw.info
Source: global traffic	DNS traffic detected: DNS query: nwdyhujtzi.net
Source: global traffic	DNS traffic detected: DNS query: cecitmbetwe.info
Source: global traffic	DNS traffic detected: DNS query: fnvcomt.net
Source: global traffic	DNS traffic detected: DNS query: koqaswsiic.com
Source: global traffic	DNS traffic detected: DNS query: ooqfgvnllbdj.net
Source: global traffic	DNS traffic detected: DNS query: ywzcjat.info
Source: global traffic	DNS traffic detected: DNS query: delnmynibhnu.info
Source: global traffic	DNS traffic detected: DNS query: cgzmkaoqtpr.net
Source: global traffic	DNS traffic detected: DNS query: fakljq.net
Source: global traffic	DNS traffic detected: DNS query: yxeqglor.net
Source: global traffic	DNS traffic detected: DNS query: ditidgffs.com
Source: global traffic	DNS traffic detected: DNS query: wsmpvwxb.info
Source: global traffic	DNS traffic detected: DNS query: iogzpqtkbml.info
Source: global traffic	DNS traffic detected: DNS query: hdtuhunof.info
Source: global traffic	DNS traffic detected: DNS query: habozmd.info
Source: global traffic	DNS traffic detected: DNS query: umwqai.com
Source: global traffic	DNS traffic detected: DNS query: sfhqxtpgdcp.net
Source: global traffic	DNS traffic detected: DNS query: lkykrcllfknb.net
Source: global traffic	DNS traffic detected: DNS query: akzktct.net
Source: global traffic	DNS traffic detected: DNS query: iewiai.org
Source: global traffic	DNS traffic detected: DNS query: tqpudini.net
Source: global traffic	DNS traffic detected: DNS query: rusadzqvki.net
Source: global traffic	DNS traffic detected: DNS query: pqqobu.net
Source: global traffic	DNS traffic detected: DNS query: jrqwzahcxma.net
Source: global traffic	DNS traffic detected: DNS query: jexwxsd.net
Source: global traffic	DNS traffic detected: DNS query: xofihfrimj.net
Source: global traffic	DNS traffic detected: DNS query: qayaswom.com
Source: global traffic	DNS traffic detected: DNS query: jctcln.info
Source: global traffic	DNS traffic detected: DNS query: iqiuqeui.org
Source: global traffic	DNS traffic detected: DNS query: mackgqecao.org
Source: global traffic	DNS traffic detected: DNS query: mgkssskeic.com
Source: global traffic	DNS traffic detected: DNS query: ldziatjs.info
Source: global traffic	DNS traffic detected: DNS query: dekudc.info
Source: global traffic	DNS traffic detected: DNS query: cwbmhpaqjfw.net
Source: global traffic	DNS traffic detected: DNS query: yiiemy.org
Source: global traffic	DNS traffic detected: DNS query: ccwsnub.info
Source: global traffic	DNS traffic detected: DNS query: sakmwmeuukis.org
Source: global traffic	DNS traffic detected: DNS query: bnkqoxtw.net
Source: global traffic	DNS traffic detected: DNS query: mscaguoqykue.org
Source: global traffic	DNS traffic detected: DNS query: qodrrrzehko.net
Source: global traffic	DNS traffic detected: DNS query: oqiqgawygycg.org
Source: global traffic	DNS traffic detected: DNS query: dyhkxxkggdd.info
Source: global traffic	DNS traffic detected: DNS query: quivwopczbfy.net
Source: global traffic	DNS traffic detected: DNS query: mmfljcduuiq.info
Source: global traffic	DNS traffic detected: DNS query: nbbghscbn.info
Source: global traffic	DNS traffic detected: DNS query: tkhcfkf.net
Source: global traffic	DNS traffic detected: DNS query: zfzerwlmxkg.org
Source: global traffic	DNS traffic detected: DNS query: cukqaeyggw.org
Source: global traffic	DNS traffic detected: DNS query: swnmtyjsf.info
Source: global traffic	DNS traffic detected: DNS query: bowmbsngr.net
Source: global traffic	DNS traffic detected: DNS query: kyhbvm.info
Source: global traffic	DNS traffic detected: DNS query: wofeuyik.info
Source: global traffic	DNS traffic detected: DNS query: qedsben.info
Source: global traffic	DNS traffic detected: DNS query: uqgtbor.net
Source: global traffic	DNS traffic detected: DNS query: rqzbtyqilrby.info
Source: global traffic	DNS traffic detected: DNS query: tmdlhcf.info
Source: global traffic	DNS traffic detected: DNS query: llymgadj.net
Source: global traffic	DNS traffic detected: DNS query: strpoehe.net
Source: global traffic	DNS traffic detected: DNS query: qhxaqmz.info
Source: global traffic	DNS traffic detected: DNS query: ptxmhgbxv.com
Source: global traffic	DNS traffic detected: DNS query: bsnmkqvxz.info
Source: global traffic	DNS traffic detected: DNS query: ybgddyiuljpt.info
Source: global traffic	DNS traffic detected: DNS query: wooovgmc.info
Source: global traffic	DNS traffic detected: DNS query: pmblwd.info
Source: global traffic	DNS traffic detected: DNS query: owfvaiicb.net
Source: global traffic	DNS traffic detected: DNS query: rdnmtqyabal.info
Source: global traffic	DNS traffic detected: DNS query: cnzthi.net
Source: global traffic	DNS traffic detected: DNS query: ucrkhizrjle.net
Source: global traffic	DNS traffic detected: DNS query: lbrmhwh.com
Source: global traffic	DNS traffic detected: DNS query: aipoxmkfh.info
Source: global traffic	DNS traffic detected: DNS query: pznkbhqy.net
Source: global traffic	DNS traffic detected: DNS query: zytaxmwmimp.net
Source: global traffic	DNS traffic detected: DNS query: nhblvtkhsosr.info
Source: global traffic	DNS traffic detected: DNS query: xuaibkgv.info
Source: global traffic	DNS traffic detected: DNS query: isagooiqeu.org
Source: global traffic	DNS traffic detected: DNS query: kapmdmvanjh.info
Source: global traffic	DNS traffic detected: DNS query: iavgymgybax.net
Source: global traffic	DNS traffic detected: DNS query: bgzsdevk.net
Source: global traffic	DNS traffic detected: DNS query: uweeaaosgi.com
Source: global traffic	DNS traffic detected: DNS query: lsnsgqnhjek.net
Source: global traffic	DNS traffic detected: DNS query: fkfstwvpdih.info
Source: global traffic	DNS traffic detected: DNS query: igkawu.org
Source: global traffic	DNS traffic detected: DNS query: oqecuy.com
Source: global traffic	DNS traffic detected: DNS query: igpcvkvzb.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:19 GMTSet-Cookie: __cf_bm=vFT_S.l2plcgNSszqZxPOgQgiPFYZRZLMqFCJEEld24-1728999544-1.0.1.1-EHSRuxvkJWJuVBGRV2yjcQhyuF2aCJydUHQ.fgvhoPxOIwGJ2aKtAlKR4p9asN2ZjHAiiKfaAYh9bkpAawN5Gg; path=/; expires=Tue, 15-Oct-24 14:09:04 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d303690be74a530-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:24 GMTSet-Cookie: __cf_bm=M2pH.5UVAhNNH.Yyu5yQnmUkUHU1.4D.3YUCTYw3ECM-1728999549-1.0.1.1-bopzJkuMdqImAjFet6sYo5.tPvWEqFY0WB.rhS7ZHsCkPesBPsyaKg7hRqp5Zkdq2LgFJ0.rlPrvg8gHtx9Z9A; path=/; expires=Tue, 15-Oct-24 14:09:09 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3036b00e68335e-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:25 GMTSet-Cookie: __cf_bm=F8.bHDjOmzZs_uMT4mduv7oWzIO0aOXmCGZTrVaisgw-1728999550-1.0.1.1-B2qV84GVsSKAa9RU2vMfVDryKr8SNGFbfclStkVH9jKPNe4EcI3MAzp7r7ebGlVDD12uGMXzOHZ0VosG1LRfaQ; path=/; expires=Tue, 15-Oct-24 14:09:10 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3036b838ecd9fd-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:37 GMTSet-Cookie: __cf_bm=dZg45bLLD2l8r0AyDiHaWvLigxUpqs4pfHy9igHniL0-1728999562-1.0.1.1-LVfrx19PQEpVO3A1uisAp544UCxrU2wyDz7nuGEIYh63jslcHdCLA.5uc4TraQROoVk32qfaO1kefZ7d0baYRA; path=/; expires=Tue, 15-Oct-24 14:09:22 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3037020c3725b5-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:39 GMTSet-Cookie: __cf_bm=1nE0UCey8XtG83SYPAw7TF23SwXgTybrKUmmMiZ8e0M-1728999564-1.0.1.1-PCfYTXH3LEo.nqE7uCIKN0ddrNInlSBEOLfH4V_PnTCsBpjRjkju8LAANPKTpCGETJBBwLlIxldfqmyQiiY9GQ; path=/; expires=Tue, 15-Oct-24 14:09:24 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d303710be1eb3cb-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Tue, 15 Oct 2024 13:39:26 GMTTransfer-Encoding: chunkedConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 15 Oct 2024 13:39:29 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:44 GMTSet-Cookie: __cf_bm=o27P_8.1Q7o_KBrL5CpxRxlGZhSGfUovhellNCBPt3U-1728999569-1.0.1.1-Ps86dzFA2ySE4s7AvFNH51Q6UAWlflAmCgdZKT8Numd2dOljmq10iyMEuHTieeL1xcUuUExvZhRLWi35mSbwcg; path=/; expires=Tue, 15-Oct-24 14:09:29 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d30372f3ca1746d-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:48 GMTSet-Cookie: __cf_bm=5yMpV.In6xs.yigWY4VWH1iNK5oS7aiKe6eBOL4Xifk-1728999573-1.0.1.1-JnW_97jN86t2Hc2gjpQD.0gxMboUGc9PRHzEU1IF6NIdDzzqtTmgEwYXj_toZwGIKC1vOLcnLnPgpNmiv5kzRQ; path=/; expires=Tue, 15-Oct-24 14:09:33 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3037440ce9225d-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:50 GMTSet-Cookie: __cf_bm=qs7qpzbLNrRljCKaFh3TJfJ7sOl4FZgA5t_fqo4mAu4-1728999575-1.0.1.1-3H_7CHI.JeMpVjHLXKVzdWV1BdzwWuf7TMPlfa3ZEl1y_8eVvOtwk8EAFv1X49mkRrzgYTtOsu_tCYuV4MJQ5w; path=/; expires=Tue, 15-Oct-24 14:09:35 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3037543adfa65f-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:39:58 GMTSet-Cookie: __cf_bm=dEtUiyT5kOMGsoewrlMsH86fIMeO8ARNOZyXV4KvxLc-1728999583-1.0.1.1-2nrQr8tSbJVapw5qb6k7K8P2GeQ3zP_I4.WtE2QiVZCpLYPYbM1JV_VR7iCk6CIJKZK1SHU9pcyiOMcRKNpVMg; path=/; expires=Tue, 15-Oct-24 14:09:43 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3037833af1b3cd-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:03 GMTSet-Cookie: __cf_bm=f1HcTp4Mh3lmZto.Gzc.AT5Ix0xG4UgnN2cTfnm2iRk-1728999588-1.0.1.1-PndGfoVIVSCw_zYFFlO4S9q2OnApUbbdX_ls_VTFBflODamZIdtL8gAjAI96qFwu0vC4bJ_HBrDDlC_xHy.cbA; path=/; expires=Tue, 15-Oct-24 14:09:48 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3037a2abeedafd-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:39:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:04 GMTSet-Cookie: __cf_bm=E3F9TcAbDwxgIw_jB78puRTCDn31ed_XiHjZ2Z3uvN4-1728999589-1.0.1.1-NISv8YYKyxEnb7thEwukTJqj8AFicTZWOM9B2o_vB02haPd6jAM53gFjLxVNWz1og_C84jDYFxq8Q2_ry.x2Ww; path=/; expires=Tue, 15-Oct-24 14:09:49 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3037aace3209d2-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:23 GMTSet-Cookie: __cf_bm=pCja678nNOzcnlj8AIl5cqDoL9NDLXz1QeNDVA6F_2I-1728999608-1.0.1.1-jNkPh3_JSqg3HjaMHtTxI59ZJOB0l27_29eyo1YQjFfKtfHTVh8lsilpJR0cgtg2Z6H5vvK3oW_NW5WkTN6BFg; path=/; expires=Tue, 15-Oct-24 14:10:08 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d30381f0e2fa542-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:36 GMTSet-Cookie: __cf_bm=FBZ5FeMR7wf3rISjFLmDc0tPNN5B9I35CCWGeBJgFi4-1728999621-1.0.1.1-298NnIQqgeSTU1cH0rOuH6QS0cYt5xc8d.H8nnUWeeXaHzn4.YSG5I7PbSrFxc4fzVKDu6c_One0Gbx0CKgP9w; path=/; expires=Tue, 15-Oct-24 14:10:21 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d30386f7cf52248-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:42 GMTSet-Cookie: __cf_bm=3KmCd1iTglOQmKtxyeKONNrNCnlRmgWQGTWjR52AWUU-1728999627-1.0.1.1-w_UaW0tu59N_neXqjWixCLbUAGXl5Fc1ZSzu5lWp2qGXRcxW8LC2cl8OJp2i9gGaqhcB8ETQwQkqqOGmDVxVjQ; path=/; expires=Tue, 15-Oct-24 14:10:27 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3038959d9aa528-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:53 GMTSet-Cookie: __cf_bm=ZUqrKhDp8xQn2DKspgYSS_EbV0bhRxRvgFryELuZ3O0-1728999638-1.0.1.1-upkv__2Z8cWMQyLaTM.2lOXjH2k6AKKbrH.NPjDs6cy7f0js8ACsPjezBVbHt9zJFXgwqaM0mnRp3puZNGxZYA; path=/; expires=Tue, 15-Oct-24 14:10:38 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3038db1c7ca689-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:40:56 GMTSet-Cookie: __cf_bm=R.k1EjMfwQgTcDAR7aOiHCEUxF3je0_1LAbNJSfr2hY-1728999641-1.0.1.1-hpT_lPPXA6iDgRL3peV9w1XsZWO4bh4fJPtetgMjszkNtTwNJCdhW57tQvO2Zn5V_63zqe99GkHtCuMhWQE6Qw; path=/; expires=Tue, 15-Oct-24 14:10:41 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3038efff7031da-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:41:05 GMTSet-Cookie: __cf_bm=L9ZRP8axm0tU__VmuLOhxu8CGxXdjdQqpRsZYn.FkzA-1728999650-1.0.1.1-FZjCQS4a00.yI2KAbXeR8X1BDQ1elTMPrDfNh8Pjoft02bGGUXT_zLhINCcGqU.necUnLQXr4jmkcg.N_AUOGA; path=/; expires=Tue, 15-Oct-24 14:10:50 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d303927fb620318-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:40:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:41:08 GMTSet-Cookie: __cf_bm=VxVcVL.bDTBTwsANTKK5hYvjky_kE9jqeEGOM8rC_ng-1728999653-1.0.1.1-i51nPqjDsVO5mvKMCy6Q6KaORH_RDD3IzJRoyXRz_XfADhj62xDY4hlpk9v7emruHT5NoCBSLVVGQEtKT0Ndqg; path=/; expires=Tue, 15-Oct-24 14:10:53 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d30393bdf37b3d9-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:41:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:41:18 GMTSet-Cookie: __cf_bm=qgCPNQUvA4T.cuX9sKX0Um1PtriHgV4WWFUpziUwxXA-1728999663-1.0.1.1-xPz__GkVFyYCwbohpRkZ38DVrzQqFLK87DxAEnqYExO85Tz2xdmqOlo4OYcjMUx9ex1Qa3z5o11wjzex6Zksmw; path=/; expires=Tue, 15-Oct-24 14:11:03 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d30397acb3874a2-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Oct 2024 13:41:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4526Connection: closeReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 15 Oct 2024 13:41:22 GMTSet-Cookie: __cf_bm=kKmo4ROCqHNKLtwsO9p2yfQAbjF3Px2ckXqGlFgvJYA-1728999667-1.0.1.1-MBsL9KJP394uCiIBBbJeFsnWNcCkO_SuZzg_H1OysuvtKR_FzZvYdFGlmljjIIBLvu_zSabsndOdF4NqwL21hQ; path=/; expires=Tue, 15-Oct-24 14:11:07 GMT; domain=.whatismyipaddress.com; HttpOnlyX-Frame-Options: DENYServer: cloudflareCF-RAY: 8d3039912c2e0a0e-MIAalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--

Source: zjisvko.exe.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000002.208467838534.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000016.00000000.208481029664.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000016.00000002.208519746880.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000017.00000000.208492207536.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000017.00000002.208493160917.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000018.00000000.208505933983.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000018.00000002.208506730015.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000019.00000000.208520152098.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000019.00000002.208521268464.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001A.00000000.208530811819.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001A.00000002.208570641746.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001C.00000002.208538250456.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001C.00000000.208537389886.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001D.00000000.208539397524.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001D.00000002.208540705118.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001E.00000000.208547520969.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001E.00000002.208548234455.000000000042A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: zjisvko.exe, 00000004.00000002.208991705724.000000000019F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_0041394A

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,	2_2_0041394A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_0041394A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041394A OpenClipboard,WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,	5_2_0041394A
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0041394A WriteFile,EmptyClipboard,lstrlenA,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,	19_2_0041394A

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_004139A0 IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,GlobalUnlock,CloseClipboard,

2_2_004139A0

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00411356 GetWindowRect,GetWindowDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,DeleteDC,ReleaseDC,DeleteObject,

2_2_00411356

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_004095B5 Sleep,Sleep,Sleep,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowTextA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,Sleep,lstrcatA,lstrcatA,

2_2_004095B5

Source: takyouhoymc.exe

Process created: 44

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041EDCD PostQuitMessage,CreateThread,GetTickCount,lstrcpynA,lstrcpyA,wsprintfA,PostQuitMessage,NtdllDefWindowProc_A,	2_2_0041EDCD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041EDCD PostQuitMessage,CreateThread,GetTickCount,lstrcpynA,lstrcpyA,wsprintfA,PostQuitMessage,NtdllDefWindowProc_A,	4_2_0041EDCD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041EDCD PostQuitMessage,CreateThread,GetTickCount,lstrcpynA,lstrcpyA,wsprintfA,PostQuitMessage,NtdllDefWindowProc_A,	5_2_0041EDCD

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, shutdown -r	2_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, Shutdown	2_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00413DD8 ExitWindowsEx,	2_2_00413DD8
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, shutdown -r	4_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, Shutdown	4_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00413DD8 ExitWindowsEx,	4_2_00413DD8
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, shutdown -r	5_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetTickCount,Sleep,Sleep,GetTickCount,lstrcpyA,lstrlenA,lstrcatA,ShellExecuteA,CreateThread,GetTickCount,Sleep,Sleep,MessageBoxA,Sleep, Shutdown	5_2_00415D7A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00413DD8 ExitWindowsEx,	5_2_00413DD8

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\yrzsecpaticodwrc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\fzicpocoiytgwqmyr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\ojtoccrezqmarmjwql.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\zvgcrsiwskhwokiwrny.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\mjvsikbqngeunkjyurda.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\bzmkbewmkeduommczxkiz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\srfewatkjeewrqrigftsko.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\yrzsecpaticodwrc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\fzicpocoiytgwqmyr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\ojtoccrezqmarmjwql.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\zvgcrsiwskhwokiwrny.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\mjvsikbqngeunkjyurda.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\bzmkbewmkeduommczxkiz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\srfewatkjeewrqrigftsko.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\Windows\SysWOW64\dfwytawqsqtomosmnpgid.gac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\Windows\dfwytawqsqtomosmnpgid.gac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\Windows\SysWOW64\ylnagyfkxguajwlqcprekcjobkyenapu.tvi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\Windows\ylnagyfkxguajwlqcprekcjobkyenapu.tvi	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0040C7E0	2_2_0040C7E0
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0042797B	2_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041A936	2_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041B3CF	2_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004223D8	2_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041B477	2_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0040F488	2_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0042874A	2_2_0042874A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0040F488	4_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0040C7E0	4_2_0040C7E0
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0042797B	4_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041A936	4_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041B3CF	4_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004223D8	4_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041B477	4_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0042874A	4_2_0042874A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0040C7E0	5_2_0040C7E0
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0042797B	5_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041A936	5_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041B3CF	5_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004223D8	5_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041B477	5_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0040F488	5_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0042874A	5_2_0042874A
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Code function: 6_2_00406235	6_2_00406235
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Code function: 6_2_00404FA8	6_2_00404FA8
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0042797B	19_2_0042797B
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0041A936	19_2_0041A936
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0041B3CF	19_2_0041B3CF
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004223D8	19_2_004223D8
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0041B477	19_2_0041B477
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0040F488	19_2_0040F488
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0042874A	19_2_0042874A
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0040C7E0	19_2_0040C7E0

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: String function: 0041D048 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: String function: 00410BF4 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: String function: 0042203E appears 58 times
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: String function: 00421DB0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: String function: 00421DF0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: String function: 00413761 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: String function: 0041D048 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: String function: 00410BF4 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: String function: 0042203E appears 58 times
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: String function: 00421DB0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: String function: 00421DF0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: String function: 00413761 appears 92 times

Source: HqvlYZC7Gf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@91/39@511/36

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00413D4D Sleep,GetCurrentProcess,OpenProcessToken,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	2_2_00413D4D
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00413D4D Sleep,GetCurrentProcess,OpenProcessToken,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	4_2_00413D4D
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00413D4D Sleep,GetCurrentProcess,OpenProcessToken,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	5_2_00413D4D

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_0040604A Sleep,GetTickCount,Sleep,GetTickCount,Sleep,CreateToolhelp32Snapshot,Process32First,EnumWindows,Sleep,Process32Next,CloseHandle,CloseHandle,

2_2_0040604A

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_0040901B FindResourceA,LoadResource,LoadResource,LockResource,LockResource,SizeofResource,SizeofResource,UpdateResourceA,LookupIconIdFromDirectoryEx,FindResourceA,LoadResource,LockResource,SizeofResource,UpdateResourceA,LookupIconIdFromDirectoryEx,FindResourceA,LoadResource,LockResource,SizeofResource,UpdateResourceA,LookupIconIdFromDirectoryEx,FindResourceA,LoadResource,LockResource,SizeofResource,UpdateResourceA,FindResourceA,LoadResource,LockResource,SizeofResource,UpdateResourceA,FreeResource,FreeResource,FreeResource,

2_2_0040901B

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00413A12 OpenSCManagerA,OpenServiceA,ControlService,ChangeServiceConfigA,CloseServiceHandle,CloseServiceHandle,

2_2_00413A12

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

File created: C:\Program Files (x86)\dfwytawqsqtomosmnpgid.gac

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

File created: C:\Users\user\AppData\Local\dfwytawqsqtomosmnpgid.gac

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Mutant created: \Sessions\1\BaseNamedObjects\bzmkbewmkeduommczxkiz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Mutant created: \Sessions\1\BaseNamedObjects\llaatyskkghawwyqppeexcw
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Mutant created: \Sessions\1\BaseNamedObjects\cyxafacyxafacyxafacyxafacy
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Mutant created: \Sessions\1\BaseNamedObjects\srfewatkjeewrqrigftsko

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe

File created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Jump to behavior

Source: HqvlYZC7Gf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HqvlYZC7Gf.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\HqvlYZC7Gf.exe "C:\Users\user\Desktop\HqvlYZC7Gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe*"
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process created: C:\Users\user\AppData\Local\Temp\zjisvko.exe "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process created: C:\Users\user\AppData\Local\Temp\zjisvko.exe "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"
Source: unknown	Process created: C:\Windows\ojtoccrezqmarmjwql.exe "C:\Windows\ojtoccrezqmarmjwql.exe" .
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\ojtoccrezqmarmjwql.exe*."
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe "C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe" .
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\bzmkbewmkeduommczxkiz.exe*."
Source: unknown	Process created: C:\Windows\mjvsikbqngeunkjyurda.exe "C:\Windows\mjvsikbqngeunkjyurda.exe" .
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\mjvsikbqngeunkjyurda.exe*."
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe "C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe" .
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\mjvsikbqngeunkjyurda.exe*."
Source: unknown	Process created: C:\Windows\yrzsecpaticodwrc.exe "C:\Windows\yrzsecpaticodwrc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe "C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe"
Source: unknown	Process created: C:\Windows\mjvsikbqngeunkjyurda.exe "C:\Windows\mjvsikbqngeunkjyurda.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe "C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: unknown	Process created: C:\Windows\yrzsecpaticodwrc.exe "C:\Windows\yrzsecpaticodwrc.exe" .
Source: C:\Windows\yrzsecpaticodwrc.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\yrzsecpaticodwrc.exe*."
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe*"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process created: C:\Users\user\AppData\Local\Temp\zjisvko.exe "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process created: C:\Users\user\AppData\Local\Temp\zjisvko.exe "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\ojtoccrezqmarmjwql.exe*."	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\bzmkbewmkeduommczxkiz.exe*."
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\mjvsikbqngeunkjyurda.exe*."
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\mjvsikbqngeunkjyurda.exe*."
Source: C:\Windows\yrzsecpaticodwrc.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\yrzsecpaticodwrc.exe*."

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: apphelp.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: edgegdi.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: windows.storage.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: wldp.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: uxtheme.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: propsys.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: dlnashext.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: wpdshext.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: profapi.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: edputil.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: urlmon.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: iertutil.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: srvcli.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: netutils.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: sspicli.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: wintypes.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: appresolver.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: slc.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: userenv.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: sppc.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: apphelp.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Section loaded: edgegdi.dll
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: wininet.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: edgegdi.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: wldp.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: propsys.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: apphelp.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: dlnashext.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: wpdshext.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: profapi.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: edputil.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: urlmon.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: iertutil.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: srvcli.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: netutils.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: sspicli.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: wintypes.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: appresolver.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: slc.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: userenv.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: sppc.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\yrzsecpaticodwrc.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_0040A949 InitializeCriticalSection,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0040A949

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004223C7 push ecx; ret	2_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00421DF0 push eax; ret	2_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00421DF0 push eax; ret	2_2_00421E2C
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004223C7 push ecx; ret	4_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00421DF0 push eax; ret	4_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00421DF0 push eax; ret	4_2_00421E2C
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004223C7 push ecx; ret	5_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00421DF0 push eax; ret	5_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00421DF0 push eax; ret	5_2_00421E2C
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Code function: 6_2_004050C0 push eax; ret	6_2_004050D4
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Code function: 6_2_004050C0 push eax; ret	6_2_004050FC
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Code function: 6_2_00404F97 push ecx; ret	6_2_00404FA7
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004223C7 push ecx; ret	19_2_004223D7
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00421DF0 push eax; ret	19_2_00421E04
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00421DF0 push eax; ret	19_2_00421E2C

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\ojtoccrezqmarmjwql.exe
Source: unknown	Executable created and started: C:\Windows\yrzsecpaticodwrc.exe
Source: unknown	Executable created and started: C:\Windows\mjvsikbqngeunkjyurda.exe

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\srfewatkjeewrqrigftsko.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\yrzsecpaticodwrc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\qfjygajqfqgo.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\bzmkbewmkeduommczxkiz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\ojtoccrezqmarmjwql.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\fzicpocoiytgwqmyr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\ojtoccrezqmarmjwql.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\mjvsikbqngeunkjyurda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\zvgcrsiwskhwokiwrny.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\fzicpocoiytgwqmyr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\srfewatkjeewrqrigftsko.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\ylnagyfkxg.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\yrzsecpaticodwrc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\zvgcrsiwskhwokiwrny.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\qhneokveviakxo.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\mjvsikbqngeunkjyurda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\bzmkbewmkeduommczxkiz.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\srfewatkjeewrqrigftsko.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\zvgcrsiwskhwokiwrny.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\fzicpocoiytgwqmyr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\srfewatkjeewrqrigftsko.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\yrzsecpaticodwrc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\yrzsecpaticodwrc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\zvgcrsiwskhwokiwrny.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\bzmkbewmkeduommczxkiz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\ojtoccrezqmarmjwql.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\mjvsikbqngeunkjyurda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\bzmkbewmkeduommczxkiz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\fzicpocoiytgwqmyr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\ojtoccrezqmarmjwql.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	File created: C:\Windows\SysWOW64\mjvsikbqngeunkjyurda.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\ylnagyfkxg.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\qfjygajqfqgo.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	File created: C:\qhneokveviakxo.bat	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qhneokveviakxo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run thkyfygmakz

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

2_2_0040A949

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\yrzsecpaticodwrc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0040604A	2_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0042185B	2_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0040683C	2_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0040C15D	2_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041C19E	2_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004202CD	2_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00420B22	2_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0041F6DA	2_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_0040E690	2_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00405F6F	2_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00412FDD	2_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0040683C	4_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041C19E	4_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00405F6F	4_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00412FDD	4_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0040604A	4_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0042185B	4_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0040C15D	4_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004202CD	4_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00420B22	4_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0041F6DA	4_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_0040E690	4_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0040604A	5_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0042185B	5_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0040683C	5_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0040C15D	5_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041C19E	5_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004202CD	5_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00420B22	5_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0041F6DA	5_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_0040E690	5_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00405F6F	5_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00412FDD	5_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0040604A	19_2_0040604A
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0042185B	19_2_0042185B
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0040683C	19_2_0040683C
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0040C15D	19_2_0040C15D
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0041C19E	19_2_0041C19E
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004202CD	19_2_004202CD
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00420B22	19_2_00420B22
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0041F6DA	19_2_0041F6DA
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_0040E690	19_2_0040E690
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00405F6F	19_2_00405F6F
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00412FDD	19_2_00412FDD

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Windows\ojtoccrezqmarmjwql.exe

Evasive API call chain: GetComputerName,DecisionNodes,Sleep

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_2-29605
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-31135

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetCursorPos,Sleep,	2_2_0040C431
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetCursorPos,Sleep,	4_2_0040C431
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetCursorPos,Sleep,	5_2_0040C431
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetCursorPos,Sleep,	19_2_0040C431

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetTickCount,GetAdaptersInfo,GetTickCount,GetAdaptersInfo,inet_addr,	2_2_00416896
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetTickCount,GetAdaptersInfo,GetTickCount,GetAdaptersInfo,inet_addr,	4_2_00416896
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetTickCount,GetAdaptersInfo,GetTickCount,GetAdaptersInfo,inet_addr,	5_2_00416896

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 10800000			Jump to behavior

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Window / User API: threadDelayed 3289	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Window / User API: threadDelayed 3296	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Window / User API: threadDelayed 3045	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Window / User API: threadDelayed 1610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Window / User API: threadDelayed 1623	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Window / User API: threadDelayed 759	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Window / User API: threadDelayed 8968	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-31410

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Dropped PE file which has not been started: C:\ylnagyfkxg.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Dropped PE file which has not been started: C:\qfjygajqfqgo.bat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Dropped PE file which has not been started: C:\qhneokveviakxo.bat	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Evaded block: after key decision

graph_4-30652

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_2-29550
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_2-30223
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_4-30498

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	API coverage: 6.8 %
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	API coverage: 0.7 %

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00412FDD		19_2_00412FDD
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00412FDD		5_2_00412FDD

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe TID: 2436	Thread sleep count: 3289 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe TID: 2436	Thread sleep count: 3296 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe TID: 2436	Thread sleep count: 266 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe TID: 2436	Thread sleep time: -266000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe TID: 2436	Thread sleep count: 3045 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe TID: 2436	Thread sleep time: -3045000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 4576	Thread sleep count: 1610 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 4332	Thread sleep count: 1623 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 1192	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6460	Thread sleep time: -570000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 2500	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6240	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 5516	Thread sleep count: 759 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 5344	Thread sleep time: -10800000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 5540	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6240	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6992	Thread sleep count: 160 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6992	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 7596	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 7596	Thread sleep time: -86000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 5200	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6992	Thread sleep count: 8968 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe TID: 6992	Thread sleep time: -8968000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	2_2_00407850
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	2_2_00401000
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	2_2_00414883
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_00408912
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	2_2_00407259
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	2_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	2_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	2_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	2_2_00406718
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00407850 lstrlenA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00407850
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	4_2_00414883
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	4_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00406718 lstrcmpiA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	4_2_00406718
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00401000 lstrcatA,lstrcpyA,Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00408912 Sleep,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	4_2_00408912
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00407259 Sleep,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	4_2_00407259
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00407D1E lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	4_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	4_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	5_2_00406718
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_00407850
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	5_2_00401000
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	5_2_00414883
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	5_2_00408912
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	5_2_00407259
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	5_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	5_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	5_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	5_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00407850 lstrcatA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	19_2_00407850
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00401000 Sleep,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,CopyFileA,FindNextFileA,FindClose,	19_2_00401000
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00414883 lstrcatA,lstrcpyA,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,	19_2_00414883
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,wsprintfA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,	19_2_00408912
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00407259 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrcmpiA,lstrcpyA,lstrlenA,wsprintfA,FindNextFileA,FindClose,	19_2_00407259
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004092D5 Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcpyA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,lstrcpyA,	19_2_004092D5
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_004074A2 Sleep,Sleep,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,lstrlenA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	19_2_004074A2
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00407D1E Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	19_2_00407D1E
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00410F49 Sleep,wsprintfA,wsprintfA,FindFirstFileA,FindClose,wsprintfA,FindClose,FindNextFileA,FindClose,	19_2_00410F49
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 19_2_00406718 GetTickCount,Sleep,wsprintfA,wsprintfA,FindFirstFileA,lstrcatA,wsprintfA,lstrcpyA,lstrcatA,lstrcatA,SetFileAttributesA,FindNextFileA,FindClose,	19_2_00406718

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_004069AA GetLogicalDriveStringsA,Sleep,lstrcpyA,lstrlenA,

2_2_004069AA

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00408D16 InitializeCriticalSection,GetVersionExA,GetVersionExA,GetVersionExA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetModuleHandleA,GetProcAddress,

2_2_00408D16

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 10800000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: takyouhoymc.exe, 00000002.00000002.207849612218.000000000060E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: zjisvko.exe, 00000004.00000002.208993624460.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, zjisvko.exe, 00000005.00000002.208993445273.0000000000618000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000007.00000002.207921807137.0000000000668000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000009.00000002.208002233659.0000000000728000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 0000000B.00000002.208083143330.00000000005E8000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 0000000D.00000002.208164498520.0000000000628000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000011.00000002.208434593699.0000000000728000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000012.00000002.208475310197.0000000000638000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000016.00000002.208520988894.0000000000688000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 0000001A.00000002.208571740441.0000000000788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	API call chain: ExitProcess graph end node	graph_2-29551
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	API call chain: ExitProcess graph end node	graph_4-29633
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\ojtoccrezqmarmjwql.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Debugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep

graph_4-30947

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

2_2_0040A949

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00410BF4 lstrcpyA,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,Sleep,GetProcessHeap,RtlAllocateHeap,

2_2_00410BF4

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Registry value deleted: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Defender

Jump to behavior

Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe*"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\HqvlYZC7Gf.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process created: C:\Users\user\AppData\Local\Temp\zjisvko.exe "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Process created: C:\Users\user\AppData\Local\Temp\zjisvko.exe "C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"	Jump to behavior
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\ojtoccrezqmarmjwql.exe*."	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\bzmkbewmkeduommczxkiz.exe*."
Source: C:\Windows\mjvsikbqngeunkjyurda.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\mjvsikbqngeunkjyurda.exe*."
Source: C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\mjvsikbqngeunkjyurda.exe*."
Source: C:\Windows\yrzsecpaticodwrc.exe	Process created: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe "C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\yrzsecpaticodwrc.exe*."

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00413E36 lstrlenA,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetLastError,GetLastError,lstrcpyA,GetTokenInformation,GetLengthSid,InitializeAcl,AddAccessAllowedAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorSacl,lstrlenA,CreateDirectoryA,GetLastError,CloseHandle,SetFileAttributesA,

2_2_00413E36

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_0040C34F GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,

2_2_0040C34F

Source: zjisvko.exe, 00000004.00000002.208995373220.0000000002C9D000.00000004.00000010.00020000.00000000.sdmp, zjisvko.exe, 00000004.00000002.208996413779.000000000365E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Shell_TrayWnd
Source: zjisvko.exe, 00000004.00000002.208995373220.0000000002C9D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager Chromelication
Source: takyouhoymc.exe, 00000002.00000003.207821321275.0000000000636000.00000004.00000020.00020000.00000000.sdmp, takyouhoymc.exe, 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000002.00000000.207767291424.000000000042A000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: pset=i=l=Windows NTUser-Agent:GET TLSServicesActivesfc_os.dllSeShutdownPrivilegeNtShutdownSystemntdll.dll%d.%d.%d.%dNotification ArToolbarWindow32NotifyIconOverflowWShell_TrayWndhttp:TwitterUser Account ControlRegistry EdiPlease restart your computer.Shutdown.regdeviceInternetGatewayDeviceWANIPConnectionserviceWANPPPConnectionurn:schemas-upnp-org:://</%s><%s>Content-Length:errorCodecontrolURL</service><serviceType>%s</serviceType>%s%s:%s:%dhttp://%s/URLBasemodelNamefriendlyNameGET %s HTTP/1.1
Source: zjisvko.exe, 00000004.00000002.208996413779.000000000365E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: @Program Manager

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetLocaleInfoA,	2_2_00427227
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetLocaleInfoA,	4_2_00427227
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: GetLocaleInfoA,	5_2_00427227
Source: C:\Windows\ojtoccrezqmarmjwql.exe	Code function: GetLocaleInfoA,	6_2_0040773D
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: GetLocaleInfoA,	19_2_00427227

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00413AAC GetTickCount,GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,CreateFileA,SetFileTime,CloseHandle,

2_2_00413AAC

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00408912 Sleep,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,lstrlenA,lstrlenA,lstrlenA,lstrcmpiA,lstrlenA,wsprintfA,GetUserNameA,wsprintfA,ShellExecuteA,wsprintfA,ShellExecuteA,Sleep,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,LoadLibraryA,EnumResourceNamesA,FreeLibrary,MoveFileA,SetFileAttributesA,FindNextFileA,FindClose,

2_2_00408912

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_004034C1 GetTickCount,lstrcmpA,lstrcmpA,lstrlenA,lstrcmpA,lstrlenA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,GetTickCount,lstrcmpA,lstrcmpA,GetTickCount,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcmpA,GetTimeZoneInformation,lstrcmpA,GetTimeZoneInformation,

2_2_004034C1

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Code function: 2_2_00422B93 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

2_2_00422B93

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend

Jump to behavior

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinDefend

Jump to behavior

Disable UAC(promptonsecuredesktop)

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Registry value created: PromptOnSecureDesktop 0

Jump to behavior

Disables UAC (registry)

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Disables the Windows registry editor (regedit)

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

Jump to behavior

Disables user account control notifications

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Security Center

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	Code function: 2_2_004121EB htons,socket,closesocket,bind,listen,ioctlsocket,select,__WSAFDIsSet,accept,getpeername,GetTickCount,shutdown,closesocket,recv,shutdown,closesocket,send,CreateThread,lstrlenA,closesocket,	2_2_004121EB
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 4_2_004121EB GetTickCount,Sleep,htons,socket,closesocket,bind,listen,ioctlsocket,select,__WSAFDIsSet,accept,getpeername,GetTickCount,shutdown,closesocket,recv,shutdown,closesocket,send,CreateThread,lstrlenA,closesocket,	4_2_004121EB
Source: C:\Users\user\AppData\Local\Temp\zjisvko.exe	Code function: 5_2_004121EB htons,socket,closesocket,bind,listen,ioctlsocket,select,__WSAFDIsSet,accept,getpeername,GetTickCount,shutdown,closesocket,recv,shutdown,closesocket,send,CreateThread,lstrlenA,closesocket,	5_2_004121EB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	21 Replication Through Removable Media	24 Native API	1 DLL Side-Loading	1 DLL Side-Loading	6 Disable or Modify Tools	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Service Execution	1 Windows Service	2 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	2 Inhibit System Recovery
Email Addresses	DNS Server	Domain Accounts	At	31 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	2 Bypass User Account Control	LSA Secrets	124 System Information Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	31 Registry Run Keys / Startup Folder	132 Masquerading	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	331 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	121 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	2 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
HqvlYZC7Gf.exe	100%	Avira	TR/Drop.Agent.bjxj
HqvlYZC7Gf.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
HqvlYZC7Gf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\ylnagyfkxg.bat	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	100%	Avira	TR/Agent.327680.A
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\qfjygajqfqgo.bat	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\qhneokveviakxo.bat	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\zjisvko.exe	100%	Avira	TR/Agent.327680.A
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	100%	Avira	TR/Drop.Agent.bjxj
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	100%	Joe Sandbox ML
C:\ylnagyfkxg.bat	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\takyouhoymc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	100%	Joe Sandbox ML
C:\qfjygajqfqgo.bat	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	100%	Joe Sandbox ML
C:\qhneokveviakxo.bat	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\zjisvko.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\bzmkbewmkeduommczxkiz.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\fzicpocoiytgwqmyr.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\mjvsikbqngeunkjyurda.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\ojtoccrezqmarmjwql.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\srfewatkjeewrqrigftsko.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\yrzsecpaticodwrc.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\SysWOW64\zvgcrsiwskhwokiwrny.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\bzmkbewmkeduommczxkiz.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\fzicpocoiytgwqmyr.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\mjvsikbqngeunkjyurda.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\ojtoccrezqmarmjwql.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\srfewatkjeewrqrigftsko.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\yrzsecpaticodwrc.exe	97%	ReversingLabs	Win32.Trojan.Pykspa
C:\Windows\zvgcrsiwskhwokiwrny.exe	97%	ReversingLabs	Win32.Trojan.Pykspa

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
myspace.com	34.111.176.156	true	false	unknown
bbc.map.fastly.net	151.101.128.81	true	false	unknown
buakrgp.org	162.249.65.164	true	false	unknown
www.whatismyip.com	104.27.206.92	true	true	unknown
qkqsgqekyago.org	162.249.65.164	true	false	unknown
kwecii.org	162.249.65.164	true	false	unknown
lwbjtptjlzji.net	35.164.78.200	true	false	unknown
iewiai.org	162.249.65.164	true	false	unknown
zcdwpozkfvv.org	162.249.65.164	true	false	unknown
www.showmyipaddress.com	172.67.155.175	true	true	unknown
star-mini.c10r.facebook.com	31.13.67.35	true	false	unknown
jmvozxx.org	162.249.65.164	true	false	unknown
dwtopsisx.org	162.249.65.164	true	false	unknown
whatismyipaddress.com	104.19.223.79	true	true	unknown
d2bytcopxu066p.cloudfront.net	18.64.172.225	true	false	unknown
pki-goog.l.google.com	142.250.217.195	true	false	unknown
wcasugikao.org	162.249.65.164	true	false	unknown
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
htcdxnm.org	162.249.65.164	true	false	unknown
xkesrsk.org	162.249.65.164	true	false	unknown
awoumowqyw.org	162.249.65.164	true	false	unknown
gemckmkqmeim.org	162.249.65.164	true	false	unknown
muosqoie.org	162.249.65.164	true	false	unknown
xhjwwgwd.info	85.214.228.140	true	false	unknown
wsmpvwxb.info	208.100.26.245	true	false	unknown
hosplypcd.net	unknown	unknown	true	unknown
ucrkhizrjle.net	unknown	unknown	true	unknown
dcbeeq.net	unknown	unknown	true	unknown
ozsqpqy.net	unknown	unknown	true	unknown
uugiiqomoa.org	unknown	unknown	true	unknown
uagoeg.org	unknown	unknown	true	unknown
ryxedahgvtlu.net	unknown	unknown	true	unknown
otykmmxuwhs.info	unknown	unknown	true	unknown
ikvzsyc.net	unknown	unknown	true	unknown
hlrqvyg.net	unknown	unknown	true	unknown
nifigom.net	unknown	unknown	true	unknown
zszagqbuxtu.org	unknown	unknown	true	unknown
kyszrzmuawj.net	unknown	unknown	true	unknown
dieqnoxgfoxb.net	unknown	unknown	true	unknown
zfrhqybxtdeg.net	unknown	unknown	true	unknown
fygwaqxgysw.net	unknown	unknown	true	unknown
eyngxwxvv.info	unknown	unknown	true	unknown
rboarkztdep.net	unknown	unknown	true	unknown
gwcisuuo.com	unknown	unknown	true	unknown
wgiusyackwya.com	unknown	unknown	true	unknown
yjtugxbx.net	unknown	unknown	true	unknown
emxwaolfpmi.net	unknown	unknown	true	unknown
gmwsmkuo.com	unknown	unknown	true	unknown
saxwjjjeb.info	unknown	unknown	true	unknown
vgpckslqq.info	unknown	unknown	true	unknown
agakymgcigsw.org	unknown	unknown	true	unknown
giglhwhuby.net	unknown	unknown	true	unknown
xofihfrimj.net	unknown	unknown	true	unknown
iilirx.info	unknown	unknown	true	unknown
zmzaasi.com	unknown	unknown	true	unknown
bwvdpivgkbq.info	unknown	unknown	true	unknown
sxwhjlvgpu.net	unknown	unknown	true	unknown
pomobah.com	unknown	unknown	true	unknown
akyndev.info	unknown	unknown	true	unknown
nrayothh.net	unknown	unknown	true	unknown
ywzcjat.info	unknown	unknown	true	unknown
hdtuhunof.info	unknown	unknown	true	unknown
eukvpt.info	unknown	unknown	true	unknown
strpoehe.net	unknown	unknown	true	unknown
lkykrcllfknb.net	unknown	unknown	true	unknown
jcfzmn.info	unknown	unknown	true	unknown
khhwhgysu.info	unknown	unknown	true	unknown
jcyusd.info	unknown	unknown	true	unknown
dadqeqrbmhkp.net	unknown	unknown	true	unknown
keyuqaco.org	unknown	unknown	true	unknown
fltebaltkwm.info	unknown	unknown	true	unknown
ftpehwlaf.com	unknown	unknown	true	unknown
mbrwiditjn.info	unknown	unknown	true	unknown
oqecuy.com	unknown	unknown	true	unknown
ebzwtwgch.info	unknown	unknown	true	unknown
fnvcomt.net	unknown	unknown	true	unknown
coxovsu.info	unknown	unknown	true	unknown
vacovcj.com	unknown	unknown	true	unknown
qqikyaggkswy.org	unknown	unknown	true	unknown
pqqobu.net	unknown	unknown	true	unknown
otmccjnozm.net	unknown	unknown	true	unknown
wccbxqqoyoy.net	unknown	unknown	true	unknown
fakljq.net	unknown	unknown	true	unknown
pspexyjytqa.org	unknown	unknown	true	unknown
tqpofcjab.net	unknown	unknown	true	unknown
hevkrkpespf.info	unknown	unknown	true	unknown
zryswp.net	unknown	unknown	true	unknown
rcxvkunydmr.net	unknown	unknown	true	unknown
wuzupehil.net	unknown	unknown	true	unknown
qaciphd.net	unknown	unknown	true	unknown
magkesswuu.com	unknown	unknown	true	unknown
qayaswom.com	unknown	unknown	true	unknown
llymgadj.net	unknown	unknown	true	unknown
egvabsriwel.net	unknown	unknown	true	unknown
kgswyswsms.com	unknown	unknown	true	unknown
vjjuxotcr.net	unknown	unknown	true	unknown
cvpprc.net	unknown	unknown	true	unknown
ptxmhgbxv.com	unknown	unknown	true	unknown
yxeqglor.net	unknown	unknown	true	unknown
qodrrrzehko.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.facebook.com/	false	unknown
http://xhjwwgwd.info/	false	unknown
http://whatismyipaddress.com/	true	unknown
http://www.showmyipaddress.com/	true	unknown
http://wsmpvwxb.info/	false	unknown
http://www.imdb.com/	false	unknown
http://www.whatismyip.com/	true	unknown
http://lwbjtptjlzji.net/	false	unknown
http://www.myspace.com/	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/soap/encoding/	zjisvko.exe.2.dr	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	takyouhoymc.exe, takyouhoymc.exe, 00000013.00000000.208452330828.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000013.00000002.208453009696.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000000.208467251273.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000015.00000002.208467838534.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000016.00000000.208481029664.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000016.00000002.208519746880.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000017.00000000.208492207536.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000017.00000002.208493160917.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000018.00000000.208505933983.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000018.00000002.208506730015.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000019.00000000.208520152098.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 00000019.00000002.208521268464.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001A.00000000.208530811819.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001A.00000002.208570641746.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001C.00000002.208538250456.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001C.00000000.208537389886.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001D.00000000.208539397524.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001D.00000002.208540705118.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001E.00000000.208547520969.000000000042A000.00000002.00000001.01000000.00000006.sdmp, takyouhoymc.exe, 0000001E.00000002.208548234455.000000000042A000.00000002.00000001.01000000.00000006.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
31.13.67.35	star-mini.c10r.facebook.com	Ireland	32934	FACEBOOKUS	false
104.19.223.79	whatismyipaddress.com	United States	13335	CLOUDFLARENETUS	true
35.164.78.200	lwbjtptjlzji.net	United States	16509	AMAZON-02US	false
104.27.207.92	unknown	United States	13335	CLOUDFLARENETUS	true
41.47.39.184	unknown	Egypt	8452	TE-ASTE-ASEG	false
114.25.71.193	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
212.75.9.215	unknown	Bulgaria	43205	BULSATCOM-BG-ASSofiaBG	true
85.217.219.168	unknown	Taiwan; Republic of China (ROC)	138611	CSTLC-AS-APCloudSpeedTechnologyLimitedCoTW	false
34.111.176.156	myspace.com	United States	15169	GOOGLEUS	false
46.159.134.7	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
89.215.35.152	unknown	Bulgaria	13124	IBGCBG	false
78.63.102.38	unknown	Lithuania	8764	TELIA-LIETUVALT	true
208.100.26.245	wsmpvwxb.info	United States	32748	STEADFASTUS	false
172.67.155.175	www.showmyipaddress.com	United States	13335	CLOUDFLARENETUS	true
104.27.206.92	www.whatismyip.com	United States	13335	CLOUDFLARENETUS	true
18.64.172.225	d2bytcopxu066p.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
178.90.73.188	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
188.114.42.197	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
89.215.115.4	unknown	Bulgaria	13124	IBGCBG	false
85.214.228.140	xhjwwgwd.info	Germany	6724	STRATOSTRATOAGDE	false
162.249.65.164	buakrgp.org	United States	7922	COMCAST-7922US	false

Private

IP
192.168.11.8
192.168.11.7
192.168.11.9
192.168.11.2
192.168.11.1
192.168.11.4
192.168.11.3
192.168.11.6
192.168.11.5
192.168.11.13
192.168.11.12
192.168.11.15
192.168.11.14
192.168.11.11
192.168.11.10

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1534090
Start date and time:	2024-10-15 15:36:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	HqvlYZC7Gf.exe (renamed file extension from none to exe)
Original Sample Name:	HqvlYZC7Gf
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@91/39@511/36
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 126 Number of non-executed functions: 225

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, nexusrules.officeapps.live.com, wu-b-net.trafficmanager.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: HqvlYZC7Gf.exe

Simulations

Behavior and APIs

Time	Type	Description
09:39:00	API Interceptor	5114226x Sleep call for process: zjisvko.exe modified
09:39:21	API Interceptor	5887x Sleep call for process: HqvlYZC7Gf.exe modified
15:38:51	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk ojtoccrezqmarmjwql.exe .
15:38:59	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fzicpocoiytgwqmyr C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe .
15:39:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc mjvsikbqngeunkjyurda.exe .
15:39:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe .
15:39:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey yrzsecpaticodwrc.exe
15:39:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe
15:39:40	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo mjvsikbqngeunkjyurda.exe
15:39:48	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ojtoccrezqmarmjwql C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe
15:39:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce yrzsecpaticodwrc yrzsecpaticodwrc.exe .
15:40:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce pfkajeowmypyk C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe .
15:40:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tlskvseogunymey ojtoccrezqmarmjwql.exe
15:40:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qfjygajqfqgo C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
35.164.78.200	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	nqwjmb.biz/qqkxguyx
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	tnevuluw.biz/vjmakoegwejtsrok
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	tnevuluw.biz/gkelhjchsuditmme
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	tnevuluw.biz/ejbrogxxii
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	nqwjmb.biz/ut
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	tnevuluw.biz/hb
	TTMGv2XOAd.exe	Get hash	malicious	Unknown	Browse	rmhhhmswqh.org/imgs/krewa/nqxa.php?id=e66cavkj&s5=3159&lip=192.168.2.9&win=Unk
	McbdvFaVqC.exe	Get hash	malicious	Unknown	Browse	rmhhhmswqh.org/imgs/krewa/nqxa.php?id=1542jglu&s5=3159&lip=192.168.2.7&win=Unk
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook, LummaC Stealer	Browse	ijnmvqa.biz/odsoxhgwtfeg
	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	memberreceive.net/index.php
104.27.207.92	https://files.fm/u/vtrxvgdh6w	Get hash	malicious	GuLoader	Browse
	https://files.fm/u/jsq73ja9cp	Get hash	malicious	GuLoader	Browse
	http://files.fm/u/stdpwqvw9s	Get hash	malicious	Unknown	Browse
	http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion/	Get hash	malicious	Unknown	Browse
	jRvFQFBzhX.exe	Get hash	malicious	Socelars	Browse
	67MPsax8fd.exe	Get hash	malicious	Unknown	Browse
	lBOsC9VNlS.exe	Get hash	malicious	Unknown	Browse
	uFvG6DlSUpNCq_0a0Y3vNrYQ.exe	Get hash	malicious	Unknown	Browse
	One.exe	Get hash	malicious	Unknown	Browse
	Five.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bbc.map.fastly.net	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.192.81
	file.exe	Get hash	malicious	Unknown	Browse	151.101.128.81
	https://b9halom2.page.link/dmCn	Get hash	malicious	Unknown	Browse	151.101.64.81
	4s14EZ9Cja.html	Get hash	malicious	Unknown	Browse	151.101.0.81
	ONOiP4wkdZ.exe	Get hash	malicious	Unknown	Browse	151.101.0.81
	https://utfgsds.ezua.com	Get hash	malicious	Unknown	Browse	151.101.0.81
	https://boring-mendel.91-208-92-12.plesk.page/	Get hash	malicious	Unknown	Browse	151.101.0.81
	http://www.ofice.com	Get hash	malicious	Unknown	Browse	151.101.0.81
	4oV2svIvyn.exe	Get hash	malicious	Unknown	Browse	151.101.0.81
	https://staffbenefitaccess23.000webhostapp.com/1	Get hash	malicious	HTMLPhisher	Browse	151.101.0.81
www.showmyipaddress.com	vundevjtbot.bin.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	E5DpWZ7Yhr.exe	Get hash	malicious	Unknown	Browse	188.114.96.7
	ONOiP4wkdZ.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	tLIQS3Pca5.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	CgFJBVFNlg.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	4oV2svIvyn.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Microsoft Office Project 2007.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ymOOyTtHBV.exe	Get hash	malicious	Unknown	Browse	104.21.74.56
	57poVaWCk4.exe	Get hash	malicious	Unknown	Browse	104.21.74.56
	CdHqfJlg4h.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
www.whatismyip.com	http://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion/	Get hash	malicious	Unknown	Browse	104.27.206.92
	3AysenL2d0.exe	Get hash	malicious	Unknown	Browse	104.21.89.158
	document.htm .exe	Get hash	malicious	Unknown	Browse	104.21.89.158
	vundevjtbot.bin.exe	Get hash	malicious	Unknown	Browse	172.67.189.152
	E5DpWZ7Yhr.exe	Get hash	malicious	Unknown	Browse	172.67.189.152
	ONOiP4wkdZ.exe	Get hash	malicious	Unknown	Browse	104.21.89.158
	It1r6uq8s3.exe	Get hash	malicious	Unknown	Browse	172.67.189.152
	tLIQS3Pca5.exe	Get hash	malicious	Unknown	Browse	104.21.89.158
	CgFJBVFNlg.exe	Get hash	malicious	Unknown	Browse	104.21.89.158
	4oV2svIvyn.exe	Get hash	malicious	Unknown	Browse	104.21.89.158

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://exxonmobil.sharefile.com/f/fo6e97b0-e6c2-4cc8-bc19-f661cb3d33b1?a=be3726f064e11dda	Get hash	malicious	Unknown	Browse	76.223.1.166
	RicevutaPagamento_115538206.dat	Get hash	malicious	Unknown	Browse	18.239.36.12
	https://landing-cs.mailcomms.io/73C4D162CAD9C4016A99EC5AF537DA57B4F5451828F0865A7DC8EA34ED2492F0	Get hash	malicious	Unknown	Browse	52.210.42.145
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	52.222.236.23
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	52.222.236.48
	MIgkej781f.exe	Get hash	malicious	Nanocore	Browse	3.137.123.63
	76BnBryvGP.exe	Get hash	malicious	RedLine	Browse	3.141.204.47
	xc.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	3.141.204.47
	qz.exe	Get hash	malicious	Quasar	Browse	3.16.105.95
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	52.222.236.80
CLOUDFLARENETUS	https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-	Get hash	malicious	Unknown	Browse	162.159.134.42
	https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	ordine.pdf	Get hash	malicious	Unknown	Browse	104.21.90.114
	ordine.pdf	Get hash	malicious	HtmlDropper	Browse	188.114.96.3
	order.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	ordine.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	LISTA DE COTIZACIONES.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.gov	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
CLOUDFLARENETUS	https://e.cukurovadermatoloji.org.tr/i/Do-BbkmS8do2SSRbfKAqhcJT8K9iB0m-	Get hash	malicious	Unknown	Browse	162.159.134.42
	https://mayamabraidsweaveslocs.com/jndnnjnjvnjvdnvdnjnjn.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	ordine.pdf	Get hash	malicious	Unknown	Browse	104.21.90.114
	ordine.pdf	Get hash	malicious	HtmlDropper	Browse	188.114.96.3
	order.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	ordine.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	LISTA DE COTIZACIONES.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=janice.atkins@faa.gov	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
TE-ASTE-ASEG	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	41.37.180.82
	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	41.42.142.171
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	197.43.31.85
	na.elf	Get hash	malicious	Mirai, Gafgyt	Browse	197.38.240.105
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	154.186.189.224
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	41.233.16.107
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	41.36.124.90
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	163.121.253.38
	na.elf	Get hash	malicious	Mirai	Browse	197.49.247.237
	arm7.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	154.190.196.44

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\dfwytawqsqtomosmnpgid.gac

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	7.1981851936674515
Encrypted:	false
SSDEEP:	6:nZM19YseDprNGmbYRnGI1hTN/vY/uSLmV/xjLD0nUP9rW+dxORWiHEzn:nQ9Y9p0m8hG8tjS6VNv4UPcQORB4
MD5:	CC544179F2D591106D6C8F14D6C1C8C0
SHA1:	3A31D5C3C55DA337A32955423E0F333DF1A41929
SHA-256:	168BFE37E3AC673FE9A996D4FF8507D92EA490A93D20A94E1D2D6C8636154777
SHA-512:	2AEDE5D78DED0BFCFE96C54373A8DB2F556117A177CE9C112A665593E4B3C1391E8D71E2FABF573EE3A4A3DEBA25F014337BE5FE5EC88648C01164BEFF0A85DA
Malicious:	false
Reputation:	low
Preview:	...&.Y.x..z..e.h1..]T..~.-./.`6..I.a1..N..PB<L....]..H.]..............@....==9..m.X.P..&k.....0..8t...=.'...#.0...2..j.Z..u......p..H.V.......V.~jZJB..&....n.&z....C..(X..9..%.B..r.lW9.0.KR.\|bz.l..w..=I..F.]..n....#.Ti.o.1....KB.&..0.b:..9...b.lom....K.r.v.d..

C:\Program Files (x86)\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	4248
Entropy (8bit):	7.957329251765754
Encrypted:	false
SSDEEP:	96:ibhkgM8ipnEVl8a9ukWu2+/G16c5/2uRIu7F90spS:WkSipneOaRWu2uA6mhIS/pS
MD5:	2547EB3C7FC4309E0E30F0BA91DD9F62
SHA1:	9900F84F829199069CD3DBD212F2C0259B34891D
SHA-256:	C4834842132574F264AB481610796343593B33DB17DD4AB23D327E23134CAC46
SHA-512:	2F0E6A962C7027B9F25F6A74449F43BB47646F6AC0EECD67338B3379983E1D27DBEA618608DEE2B8AEAB44477F8F97DC05F0224319FD58381E4D10F3101BC6C9
Malicious:	false
Preview:	...H...'^.._....N....F....#`...H....e...[w.=./p....M.6..;lLx.@.....~.j.1.....$O....{..........I]..l...G.M.7a&34U..O.....^.....c....j,x.. .v.[.....k]..bL......U9.-<...PC@...j............8E...R....2oY.b........d...A.t/DS..]#.\|...B..P.^]...5....eW ...4...R.P..$..=w...Ex.U.@..w...K Q.4..!...k@....l..W....<.u'..X.58.Y}....{=.H./.......ou.i....o....X..4..._.U.}..O..4.....o.Z ..R....=wi.........gT...\.(.......i...3?....H..i......MN.p..f..!.Z.u.R}lv...)1/.HS..pn.....pZ.8...?...4=(.0.l5Iu.D.iL6a...CE....w......y. .C...:...X.Z........\....G....6.9\|@..........g..S..x..T..C$k..s(.....;.........[.V/..%h.....s..Y8........5Y...>..@....u.wm.@.t..S.=..y}T...8....o.;(.D...._i.(.<..(a7..W04J.(..s.u..L...(...:.SX)..W..GH.M.`#..h.....t.u..^...0....d...%.Q..e....^!..(y.J.KF. .Y.....5]E.R.\...bLW.FH:..o...}.q...O.....n[..)...S9\|...b.(.P..........,3....v..H..a@M`b.!.p....#=.....#.Kv......0D........(.d?C{v..t*,S..U..+...u......c.g..,...Hy.S..uQ.y....'.

C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dfwytawqsqtomosmnpgid.gac

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	7.1981851936674515
Encrypted:	false
SSDEEP:	6:nZM19YseDprNGmbYRnGI1hTN/vY/uSLmV/xjLD0nUP9rW+dxORWiHEzn:nQ9Y9p0m8hG8tjS6VNv4UPcQORB4
MD5:	CC544179F2D591106D6C8F14D6C1C8C0
SHA1:	3A31D5C3C55DA337A32955423E0F333DF1A41929
SHA-256:	168BFE37E3AC673FE9A996D4FF8507D92EA490A93D20A94E1D2D6C8636154777
SHA-512:	2AEDE5D78DED0BFCFE96C54373A8DB2F556117A177CE9C112A665593E4B3C1391E8D71E2FABF573EE3A4A3DEBA25F014337BE5FE5EC88648C01164BEFF0A85DA
Malicious:	false
Preview:	...&.Y.x..z..e.h1..]T..~.-./.`6..I.a1..N..PB<L....]..H.]..............@....==9..m.X.P..&k.....0..8t...=.'...#.0...2..j.Z..u......p..H.V.......V.~jZJB..&....n.&z....C..(X..9..%.B..r.lW9.0.KR.\|bz.l..w..=I..F.]..n....#.Ti.o.1....KB.&..0.b:..9...b.lom....K.r.v.d..

C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	479232
Entropy (8bit):	7.862740136854356
Encrypted:	false
SSDEEP:	6144:qIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUpvP:qIXsgtvm1De5YlOx6lzBH46UpvP
MD5:	94974F1E2AB7872225F985D76E99EDB0
SHA1:	F6665BC49B88D92CF38889EDB3005FEDD0E8E2FF
SHA-256:	ECFD69B6CFAFA48F7B5BCB6BCF0BCCF3C91E7CC7996DDADDDA5709ADD7F5A539
SHA-512:	9380FF4823E65116C1EEE36F8CE43CCD9D0B7B371F1DA0C410237EC0DC3869646D78D820B712931982D1202F133A72C2671FE06E4EF17527A7482F65624E63AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...........A............@..........................P..............................................x...<........w..............................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc....w..........................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

Download File

Process:	C:\Users\user\Desktop\HqvlYZC7Gf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327680
Entropy (8bit):	7.263222027069389
Encrypted:	false
SSDEEP:	6144:MTw1o1IV3puaibGKFHi0mofhaH05kipz016580bHFP86JQPDHDdx/QtqR:yTgvmzFHi0mo5aH0qMzd5807FPPJQPDV
MD5:	C2093FBC0B0C6BD085F3AB7056BA31F5
SHA1:	F1C626571FF43E0C9F4518F2A0CEC59DBDFAE181
SHA-256:	90E1D9616C6AE65143F276E2DB458E713163FD610E11FA010AD4A9700425D592
SHA-512:	A3D15B3BF9DDACF5544C83D30F8912D5DD385388C2952EDA3AD5313923AD775EA6FA09F8DDC1AEC2C3F2C8FB88387B3D424FE378859F76F5977A10BBF310DFD4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.N.-AN.-AN.-A].DAM.-AK."AW.-AK.rA-.-A..4AL.-A].pAL.-A.pAC.-AN.,A..-AK.MAv.-AK.wAO.-ARichN.-A........................PE..L.....1K.............................+............@..........................`..............................................X...........................................................................H...............T............................text............................... ..`.rdata..^7.......@..................@..@.data....p....... ..................@............................................................................................................................................n..&..V}.K4M3..........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	4248
Entropy (8bit):	7.957329251765754
Encrypted:	false
SSDEEP:	96:ibhkgM8ipnEVl8a9ukWu2+/G16c5/2uRIu7F90spS:WkSipneOaRWu2uA6mhIS/pS
MD5:	2547EB3C7FC4309E0E30F0BA91DD9F62
SHA1:	9900F84F829199069CD3DBD212F2C0259B34891D
SHA-256:	C4834842132574F264AB481610796343593B33DB17DD4AB23D327E23134CAC46
SHA-512:	2F0E6A962C7027B9F25F6A74449F43BB47646F6AC0EECD67338B3379983E1D27DBEA618608DEE2B8AEAB44477F8F97DC05F0224319FD58381E4D10F3101BC6C9
Malicious:	false
Preview:	...H...'^.._....N....F....#`...H....e...[w.=./p....M.6..;lLx.@.....~.j.1.....$O....{..........I]..l...G.M.7a&34U..O.....^.....c....j,x.. .v.[.....k]..bL......U9.-<...PC@...j............8E...R....2oY.b........d...A.t/DS..]#.\|...B..P.^]...5....eW ...4...R.P..$..=w...Ex.U.@..w...K Q.4..!...k@....l..W....<.u'..X.58.Y}....{=.H./.......ou.i....o....X..4..._.U.}..O..4.....o.Z ..R....=wi.........gT...\.(.......i...3?....H..i......MN.p..f..!.Z.u.R}lv...)1/.HS..pn.....pZ.8...?...4=(.0.l5Iu.D.iL6a...CE....w......y. .C...:...X.Z........\....G....6.9\|@..........g..S..x..T..C$k..s(.....;.........[.V/..%h.....s..Y8........5Y...>..@....u.wm.@.t..S.=..y}T...8....o.;(.D...._i.(.<..(a7..W04J.(..s.u..L...(...:.SX)..W..GH.M.`#..h.....t.u..^...0....d...%.Q..e....^!..(y.J.KF. .Y.....5]E.R.\...bLW.FH:..o...}.q...O.....n[..)...S9\|...b.(.P..........,3....v..H..a@M`b.!.p....#=.....#.Kv......0D........(.d?C{v..t*,S..U..+...u......c.g..,...Hy.S..uQ.y....'.

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zjisvko.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	737280
Entropy (8bit):	3.980879741978419
Encrypted:	false
SSDEEP:	12288:+TgvmzFHi0mo5aH0qMzd5807F2HPJQPDHvd:+TgvOHi0mGaH0qSdPF2B4V
MD5:	6B760F8FDCB57B4FEFC1487B46EF20CD
SHA1:	616C3BE166C58C665993AA54959DAEBCE1FDD004
SHA-256:	8B0358FF5EC88466B32796B4C3BCC119F44059038A92518ED5B50129505219E2
SHA-512:	A514512170CC35DFD9CA2413544D94C1C4A0145983D88BB1505F2E46153802F2898FE148355D04862A8ED7A3C7C0B1E51FAF7835BF90AFA96A269B9FD6D0A78F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.N.-AN.-AN.-A].DAM.-AK."AW.-AK.rA-.-A..4AL.-A].pAL.-A.pAC.-AN.,A..-AK.MAv.-AK.wAO.-ARichN.-A........................PE..L....gzE.............................+............@..........................`..............................................X...........................................................................H...............T............................text............................... ..`.rdata..^7.......p..................@..@.data....p.......@..................@............................................................................................................................................n..&..V}.K4M3..........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zvgcrsiwskhwokiwrny.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\dfwytawqsqtomosmnpgid.gac

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	7.1981851936674515
Encrypted:	false
SSDEEP:	6:nZM19YseDprNGmbYRnGI1hTN/vY/uSLmV/xjLD0nUP9rW+dxORWiHEzn:nQ9Y9p0m8hG8tjS6VNv4UPcQORB4
MD5:	CC544179F2D591106D6C8F14D6C1C8C0
SHA1:	3A31D5C3C55DA337A32955423E0F333DF1A41929
SHA-256:	168BFE37E3AC673FE9A996D4FF8507D92EA490A93D20A94E1D2D6C8636154777
SHA-512:	2AEDE5D78DED0BFCFE96C54373A8DB2F556117A177CE9C112A665593E4B3C1391E8D71E2FABF573EE3A4A3DEBA25F014337BE5FE5EC88648C01164BEFF0A85DA
Malicious:	false
Preview:	...&.Y.x..z..e.h1..]T..~.-./.`6..I.a1..N..PB<L....]..H.]..............@....==9..m.X.P..&k.....0..8t...=.'...#.0...2..j.Z..u......p..H.V.......V.~jZJB..&....n.&z....C..(X..9..%.B..r.lW9.0.KR.\|bz.l..w..=I..F.]..n....#.Ti.o.1....KB.&..0.b:..9...b.lom....K.r.v.d..

C:\Users\user\AppData\Local\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	4248
Entropy (8bit):	7.957329251765754
Encrypted:	false
SSDEEP:	96:ibhkgM8ipnEVl8a9ukWu2+/G16c5/2uRIu7F90spS:WkSipneOaRWu2uA6mhIS/pS
MD5:	2547EB3C7FC4309E0E30F0BA91DD9F62
SHA1:	9900F84F829199069CD3DBD212F2C0259B34891D
SHA-256:	C4834842132574F264AB481610796343593B33DB17DD4AB23D327E23134CAC46
SHA-512:	2F0E6A962C7027B9F25F6A74449F43BB47646F6AC0EECD67338B3379983E1D27DBEA618608DEE2B8AEAB44477F8F97DC05F0224319FD58381E4D10F3101BC6C9
Malicious:	false
Preview:	...H...'^.._....N....F....#`...H....e...[w.=./p....M.6..;lLx.@.....~.j.1.....$O....{..........I]..l...G.M.7a&34U..O.....^.....c....j,x.. .v.[.....k]..bL......U9.-<...PC@...j............8E...R....2oY.b........d...A.t/DS..]#.\|...B..P.^]...5....eW ...4...R.P..$..=w...Ex.U.@..w...K Q.4..!...k@....l..W....<.u'..X.58.Y}....{=.H./.......ou.i....o....X..4..._.U.}..O..4.....o.Z ..R....=wi.........gT...\.(.......i...3?....H..i......MN.p..f..!.Z.u.R}lv...)1/.HS..pn.....pZ.8...?...4=(.0.l5Iu.D.iL6a...CE....w......y. .C...:...X.Z........\....G....6.9\|@..........g..S..x..T..C$k..s(.....;.........[.V/..%h.....s..Y8........5Y...>..@....u.wm.@.t..S.=..y}T...8....o.;(.D...._i.(.<..(a7..W04J.(..s.u..L...(...:.SX)..W..GH.M.`#..h.....t.u..^...0....d...%.Q..e....^!..(y.J.KF. .Y.....5]E.R.\...bLW.FH:..o...}.q...O.....n[..)...S9\|...b.(.P..........,3....v..H..a@M`b.!.p....#=.....#.Kv......0D........(.d?C{v..t*,S..U..+...u......c.g..,...Hy.S..uQ.y....'.

C:\Windows\SysWOW64\bzmkbewmkeduommczxkiz.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\dfwytawqsqtomosmnpgid.gac

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	7.1981851936674515
Encrypted:	false
SSDEEP:	6:nZM19YseDprNGmbYRnGI1hTN/vY/uSLmV/xjLD0nUP9rW+dxORWiHEzn:nQ9Y9p0m8hG8tjS6VNv4UPcQORB4
MD5:	CC544179F2D591106D6C8F14D6C1C8C0
SHA1:	3A31D5C3C55DA337A32955423E0F333DF1A41929
SHA-256:	168BFE37E3AC673FE9A996D4FF8507D92EA490A93D20A94E1D2D6C8636154777
SHA-512:	2AEDE5D78DED0BFCFE96C54373A8DB2F556117A177CE9C112A665593E4B3C1391E8D71E2FABF573EE3A4A3DEBA25F014337BE5FE5EC88648C01164BEFF0A85DA
Malicious:	false
Preview:	...&.Y.x..z..e.h1..]T..~.-./.`6..I.a1..N..PB<L....]..H.]..............@....==9..m.X.P..&k.....0..8t...=.'...#.0...2..j.Z..u......p..H.V.......V.~jZJB..&....n.&z....C..(X..9..%.B..r.lW9.0.KR.\|bz.l..w..=I..F.]..n....#.Ti.o.1....KB.&..0.b:..9...b.lom....K.r.v.d..

C:\Windows\SysWOW64\fzicpocoiytgwqmyr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mjvsikbqngeunkjyurda.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ojtoccrezqmarmjwql.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\srfewatkjeewrqrigftsko.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	4248
Entropy (8bit):	7.957329251765754
Encrypted:	false
SSDEEP:	96:ibhkgM8ipnEVl8a9ukWu2+/G16c5/2uRIu7F90spS:WkSipneOaRWu2uA6mhIS/pS
MD5:	2547EB3C7FC4309E0E30F0BA91DD9F62
SHA1:	9900F84F829199069CD3DBD212F2C0259B34891D
SHA-256:	C4834842132574F264AB481610796343593B33DB17DD4AB23D327E23134CAC46
SHA-512:	2F0E6A962C7027B9F25F6A74449F43BB47646F6AC0EECD67338B3379983E1D27DBEA618608DEE2B8AEAB44477F8F97DC05F0224319FD58381E4D10F3101BC6C9
Malicious:	false
Preview:	...H...'^.._....N....F....#`...H....e...[w.=./p....M.6..;lLx.@.....~.j.1.....$O....{..........I]..l...G.M.7a&34U..O.....^.....c....j,x.. .v.[.....k]..bL......U9.-<...PC@...j............8E...R....2oY.b........d...A.t/DS..]#.\|...B..P.^]...5....eW ...4...R.P..$..=w...Ex.U.@..w...K Q.4..!...k@....l..W....<.u'..X.58.Y}....{=.H./.......ou.i....o....X..4..._.U.}..O..4.....o.Z ..R....=wi.........gT...\.(.......i...3?....H..i......MN.p..f..!.Z.u.R}lv...)1/.HS..pn.....pZ.8...?...4=(.0.l5Iu.D.iL6a...CE....w......y. .C...:...X.Z........\....G....6.9\|@..........g..S..x..T..C$k..s(.....;.........[.V/..%h.....s..Y8........5Y...>..@....u.wm.@.t..S.=..y}T...8....o.;(.D...._i.(.<..(a7..W04J.(..s.u..L...(...:.SX)..W..GH.M.`#..h.....t.u..^...0....d...%.Q..e....^!..(y.J.KF. .Y.....5]E.R.\...bLW.FH:..o...}.q...O.....n[..)...S9\|...b.(.P..........,3....v..H..a@M`b.!.p....#=.....#.Kv......0D........(.d?C{v..t*,S..U..+...u......c.g..,...Hy.S..uQ.y....'.

C:\Windows\SysWOW64\yrzsecpaticodwrc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\zvgcrsiwskhwokiwrny.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\bzmkbewmkeduommczxkiz.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\dfwytawqsqtomosmnpgid.gac

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	7.1981851936674515
Encrypted:	false
SSDEEP:	6:nZM19YseDprNGmbYRnGI1hTN/vY/uSLmV/xjLD0nUP9rW+dxORWiHEzn:nQ9Y9p0m8hG8tjS6VNv4UPcQORB4
MD5:	CC544179F2D591106D6C8F14D6C1C8C0
SHA1:	3A31D5C3C55DA337A32955423E0F333DF1A41929
SHA-256:	168BFE37E3AC673FE9A996D4FF8507D92EA490A93D20A94E1D2D6C8636154777
SHA-512:	2AEDE5D78DED0BFCFE96C54373A8DB2F556117A177CE9C112A665593E4B3C1391E8D71E2FABF573EE3A4A3DEBA25F014337BE5FE5EC88648C01164BEFF0A85DA
Malicious:	false
Preview:	...&.Y.x..z..e.h1..]T..~.-./.`6..I.a1..N..PB<L....]..H.]..............@....==9..m.X.P..&k.....0..8t...=.'...#.0...2..j.Z..u......p..H.V.......V.~jZJB..&....n.&z....C..(X..9..%.B..r.lW9.0.KR.\|bz.l..w..=I..F.]..n....#.Ti.o.1....KB.&..0.b:..9...b.lom....K.r.v.d..

C:\Windows\fzicpocoiytgwqmyr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mjvsikbqngeunkjyurda.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ojtoccrezqmarmjwql.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\srfewatkjeewrqrigftsko.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	data
Category:	dropped
Size (bytes):	4248
Entropy (8bit):	7.957329251765754
Encrypted:	false
SSDEEP:	96:ibhkgM8ipnEVl8a9ukWu2+/G16c5/2uRIu7F90spS:WkSipneOaRWu2uA6mhIS/pS
MD5:	2547EB3C7FC4309E0E30F0BA91DD9F62
SHA1:	9900F84F829199069CD3DBD212F2C0259B34891D
SHA-256:	C4834842132574F264AB481610796343593B33DB17DD4AB23D327E23134CAC46
SHA-512:	2F0E6A962C7027B9F25F6A74449F43BB47646F6AC0EECD67338B3379983E1D27DBEA618608DEE2B8AEAB44477F8F97DC05F0224319FD58381E4D10F3101BC6C9
Malicious:	false
Preview:	...H...'^.._....N....F....#`...H....e...[w.=./p....M.6..;lLx.@.....~.j.1.....$O....{..........I]..l...G.M.7a&34U..O.....^.....c....j,x.. .v.[.....k]..bL......U9.-<...PC@...j............8E...R....2oY.b........d...A.t/DS..]#.\|...B..P.^]...5....eW ...4...R.P..$..=w...Ex.U.@..w...K Q.4..!...k@....l..W....<.u'..X.58.Y}....{=.H./.......ou.i....o....X..4..._.U.}..O..4.....o.Z ..R....=wi.........gT...\.(.......i...3?....H..i......MN.p..f..!.Z.u.R}lv...)1/.HS..pn.....pZ.8...?...4=(.0.l5Iu.D.iL6a...CE....w......y. .C...:...X.Z........\....G....6.9\|@..........g..S..x..T..C$k..s(.....;.........[.V/..%h.....s..Y8........5Y...>..@....u.wm.@.t..S.=..y}T...8....o.;(.D...._i.(.<..(a7..W04J.(..s.u..L...(...:.SX)..W..GH.M.`#..h.....t.u..^...0....d...%.Q..e....^!..(y.J.KF. .Y.....5]E.R.\...bLW.FH:..o...}.q...O.....n[..)...S9\|...b.(.P..........,3....v..H..a@M`b.!.p....#=.....#.Kv......0D........(.d?C{v..t*,S..U..+...u......c.g..,...Hy.S..uQ.y....'.

C:\Windows\yrzsecpaticodwrc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\zvgcrsiwskhwokiwrny.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1040384
Entropy (8bit):	4.612147157482853
Encrypted:	false
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
MD5:	2CDB760530EC92B79EE2BF80371CAC90
SHA1:	70EF5A50636AFAAA91FF0CB0DF77F7E2FE14B6B2
SHA-256:	E0E9067BD90B97AF4C6BCDFEE36FAD24B4CF382BE9314D58532ACC0DB0C7B37B
SHA-512:	E37804EA5CCFD67AC3960AF429C72929286A2FA730953F89FD64E113210870395524FA3873F45F31DAA579F22E06768BA7AA947D58DAED3C2B8907B754B15342
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...`.......A............@.........................................................................x...<.......................................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\autorun.inf

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	Microsoft Windows Autorun file
Category:	dropped
Size (bytes):	812
Entropy (8bit):	4.939318306408468
Encrypted:	false
SSDEEP:	12:1MbqKssMbqKsGMbqKsD5UXzMbqKsDdVEsMbqKsDVcUEuMbqKs5:1MqKLMqKnMqKsKjMqKsdPMqKsPfMqKC
MD5:	76334BDF7885809657E5BDC7EC6EFDF5
SHA1:	5313B492144559874B47911EFBC9AB9CD88547BB
SHA-256:	14087DA5E6309C81BA8AB6C11C3E4A2C2B1571BD7F9FEEB75B92B5021A87C223
SHA-512:	95E7AE478B163200A9C04E70DE8E5D9473C5B545D794C504F05DEF2063B2A6FA8D40CBF4B921241E665B47F4338067D8AA543DB95E0C877074130EA0C55C821C
Malicious:	true
Preview:	;icodwrcunvoaylwpeykzsnyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcany..[AutoRun]..;peykzsnyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcany..open=ylnagyfkxg.bat..;oaylwpeykzsnyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcany..shell\\open\\Command=qfjygajqfqgo.bat _..;rzsecpaticodwrcunvoaylwpeykzsnyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcany..shell\\open\\Default=1..shell\\explore\\Default=2..;rcunvoaylwpeykzsnyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcany..shell\\explore\\Command=qhneokveviakxo.bat _..;snyqjrkwuhslaugvojumfngsqdohwqcrkfqibjcomzkdsmyngbmexfykivgzoiujcxiatbugercvkeqfytewpxqcany..

C:\qfjygajqfqgo.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	479232
Entropy (8bit):	7.862740136854356
Encrypted:	false
SSDEEP:	6144:qIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUpvP:qIXsgtvm1De5YlOx6lzBH46UpvP
MD5:	94974F1E2AB7872225F985D76E99EDB0
SHA1:	F6665BC49B88D92CF38889EDB3005FEDD0E8E2FF
SHA-256:	ECFD69B6CFAFA48F7B5BCB6BCF0BCCF3C91E7CC7996DDADDDA5709ADD7F5A539
SHA-512:	9380FF4823E65116C1EEE36F8CE43CCD9D0B7B371F1DA0C410237EC0DC3869646D78D820B712931982D1202F133A72C2671FE06E4EF17527A7482F65624E63AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...........A............@..........................P..............................................x...<........w..............................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc....w..........................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\qhneokveviakxo.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	479232
Entropy (8bit):	7.862740136854356
Encrypted:	false
SSDEEP:	6144:qIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUpvP:qIXsgtvm1De5YlOx6lzBH46UpvP
MD5:	94974F1E2AB7872225F985D76E99EDB0
SHA1:	F6665BC49B88D92CF38889EDB3005FEDD0E8E2FF
SHA-256:	ECFD69B6CFAFA48F7B5BCB6BCF0BCCF3C91E7CC7996DDADDDA5709ADD7F5A539
SHA-512:	9380FF4823E65116C1EEE36F8CE43CCD9D0B7B371F1DA0C410237EC0DC3869646D78D820B712931982D1202F133A72C2671FE06E4EF17527A7482F65624E63AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...........A............@..........................P..............................................x...<........w..............................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc....w..........................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\ylnagyfkxg.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	479232
Entropy (8bit):	7.862740136854356
Encrypted:	false
SSDEEP:	6144:qIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUpvP:qIXsgtvm1De5YlOx6lzBH46UpvP
MD5:	94974F1E2AB7872225F985D76E99EDB0
SHA1:	F6665BC49B88D92CF38889EDB3005FEDD0E8E2FF
SHA-256:	ECFD69B6CFAFA48F7B5BCB6BCF0BCCF3C91E7CC7996DDADDDA5709ADD7F5A539
SHA-512:	9380FF4823E65116C1EEE36F8CE43CCD9D0B7B371F1DA0C410237EC0DC3869646D78D820B712931982D1202F133A72C2671FE06E4EF17527A7482F65624E63AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L....@ZI.................p...........A............@..........................P..............................................x...<........w..............................................................H............................................text....m.......p.................. ..`.rdata..*........ ..................@..@.data...8).......0..................@....rsrc....w..........................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.612147157482853
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HqvlYZC7Gf.exe
File size:	1'040'384 bytes
MD5:	2cdb760530ec92b79ee2bf80371cac90
SHA1:	70ef5a50636afaaa91ff0cb0df77f7e2fe14b6b2
SHA256:	e0e9067bd90b97af4c6bcdfee36fad24b4cf382be9314d58532acc0db0c7b37b
SHA512:	e37804ea5ccfd67ac3960af429c72929286a2fa730953f89fd64e113210870395524fa3873f45f31daa579f22e06768ba7aa947d58daed3c2b8907b754b15342
SSDEEP:	6144:wIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:wIXsgtvm1De5YlOx6lzBH46Umu1q
TLSH:	D625E0147912DCB9DE2A6AB8D04D88FA465F5C27D5C9012F23F07FC9B2751D0888EEE9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.lQ..?Q..?Q..?B..?P..?T..?x..?T..?]..?.!.?S..?...?R..?Q..?...?T..?R..?...?P..?T..?P..?RichQ..?........................PE..L..

File Icon


Icon Hash:	b38bc1a1e7b25923

Static PE Info

General

Entrypoint:	0x4041d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x495A40E6 [Tue Dec 30 15:40:22 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	773d7937b438e0107267de7afcefad28

Entrypoint Preview

Instruction
push 00000060h
push 00408138h
call 00007FC524BEC493h
mov edi, 00000094h
mov eax, edi
call 00007FC524BEC5EBh
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [00408064h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [0046C3BCh], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [0046C3C8h], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [0046C3CCh], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [0046C3C0h], esi
cmp ecx, 02h
je 00007FC524BEB71Eh
or esi, 00008000h
mov dword ptr [0046C3C0h], esi
shl eax, 08h
add eax, edx
mov dword ptr [0046C3C4h], eax
xor esi, esi
push esi
mov edi, dword ptr [00408058h]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007FC524BEB731h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FC524BEB724h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FC524BEB731h
cmp eax, 0000020Bh
je 00007FC524BEB717h
mov dword ptr [ebp-1Ch], esi
jmp 00007FC524BEB739h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FC524BEB704h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007FC524BEB720h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FC524BEB6F4h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ C ] VS2003 (.NET) build 3077
[ASM] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) build 3077
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) build 3077

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d78	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0xc180	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8d10	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x7000	a7bd0ea357371b7b19c0cb2a3a8f2ad0	False	0.46365792410714285	data	6.23372473313081	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x132a	0x2000	7cc61a3397d1ea04897e6b33a79bf078	False	0.2130126953125	COM executable for DOS	3.343352300925096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x62938	0x63000	f355c62f0530688a40128f0d2b63f21e	False	0.8952760022095959	Matlab v4 mat-file (little endian) \310X@, numeric, rows 4222145, columns 0	7.9899679469399985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d000	0x908e4	0x91000	df9e20ea9e7b51a85997011de831d4b6	False	0.04047009698275862	data	0.8509390790115429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d3a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.6317567567567568
RT_ICON	0x6d4c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4819364161849711
RT_ICON	0x6da30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5789007092198581
RT_ICON	0x6de98	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.5940860215053764
RT_ICON	0x6e180	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.5487364620938628
RT_ICON	0x6ea28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.700046904315197
RT_ICON	0x6fad0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.46961620469083154
RT_ICON	0x70978	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.6362033195020746
RT_ICON	0x72f20	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.3042682926829268
RT_ICON	0x73588	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.4032258064516129
RT_ICON	0x73870	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.5574324324324325
RT_ICON	0x73998	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.39738805970149255
RT_ICON	0x74840	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.44945848375451264
RT_ICON	0x750e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.4985549132947977
RT_ICON	0x75650	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.34066390041493777
RT_ICON	0x77bf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.3803939962476548
RT_ICON	0x78ca0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5088652482269503
RT_GROUP_ICON	0x79108	0x76	data	English	United States	0.652542372881356

Imports

DLL

Import

KERNEL32.dll

CloseHandle, FreeLibrary, GetProcAddress, LoadLibraryA, GetTempPathA, GetFileAttributesA, GetComputerNameA, Sleep, GetCurrentDirectoryA, GetModuleFileNameA, SetErrorMode, WriteFile, GetTickCount, CreateFileA, Process32Next, Process32First, CreateToolhelp32Snapshot, GetLastError, CreateMutexA, OpenMutexA, VirtualProtect, GetLocaleInfoA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersionExA, ExitProcess, TerminateProcess, GetCurrentProcess, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, GetACP, GetOEMCP, GetCPInfo, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, InterlockedExchange, VirtualQuery, HeapSize, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetSystemInfo

SHELL32.dll

ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-15T15:39:04.516532+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49799	104.19.223.79	80	TCP
2024-10-15T15:39:04.516532+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49799	104.19.223.79	80	TCP
2024-10-15T15:39:04.516532+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49799	104.19.223.79	80	TCP
2024-10-15T15:39:05.944586+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49800	172.67.155.175	80	TCP
2024-10-15T15:39:05.944586+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49800	172.67.155.175	80	TCP
2024-10-15T15:39:05.944586+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49800	172.67.155.175	80	TCP
2024-10-15T15:39:09.546757+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49803	104.19.223.79	80	TCP
2024-10-15T15:39:09.546757+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49803	104.19.223.79	80	TCP
2024-10-15T15:39:09.546757+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49803	104.19.223.79	80	TCP
2024-10-15T15:39:10.856018+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49804	104.19.223.79	80	TCP
2024-10-15T15:39:10.856018+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49804	104.19.223.79	80	TCP
2024-10-15T15:39:10.856018+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49804	104.19.223.79	80	TCP
2024-10-15T15:39:12.302442+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49805	104.27.206.92	80	TCP
2024-10-15T15:39:12.302442+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49805	104.27.206.92	80	TCP
2024-10-15T15:39:12.302442+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49805	104.27.206.92	80	TCP
2024-10-15T15:39:17.912787+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49810	104.27.206.92	80	TCP
2024-10-15T15:39:17.912787+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49810	104.27.206.92	80	TCP
2024-10-15T15:39:17.912787+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49810	104.27.206.92	80	TCP
2024-10-15T15:39:21.359177+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49813	104.27.206.92	80	TCP
2024-10-15T15:39:21.359177+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49813	104.27.206.92	80	TCP
2024-10-15T15:39:21.359177+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49813	104.27.206.92	80	TCP
2024-10-15T15:39:22.660608+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49814	104.19.223.79	80	TCP
2024-10-15T15:39:22.660608+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49814	104.19.223.79	80	TCP
2024-10-15T15:39:22.660608+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49814	104.19.223.79	80	TCP
2024-10-15T15:39:24.111158+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49815	34.111.176.156	80	TCP
2024-10-15T15:39:24.111158+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49815	34.111.176.156	80	TCP
2024-10-15T15:39:24.718814+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49819	31.13.67.35	80	TCP
2024-10-15T15:39:24.718814+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49819	31.13.67.35	80	TCP
2024-10-15T15:39:24.820055+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49818	35.164.78.200	80	TCP
2024-10-15T15:39:24.820055+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49818	35.164.78.200	80	TCP
2024-10-15T15:39:25.001188+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49820	104.19.223.79	80	TCP
2024-10-15T15:39:25.001188+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49820	104.19.223.79	80	TCP
2024-10-15T15:39:25.001188+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49820	104.19.223.79	80	TCP
2024-10-15T15:39:25.100253+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	35.164.78.200	80	192.168.11.30	49818	TCP
2024-10-15T15:39:25.100253+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	35.164.78.200	80	192.168.11.30	49818	TCP
2024-10-15T15:39:26.307764+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49822	104.27.206.92	80	TCP
2024-10-15T15:39:26.307764+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49822	104.27.206.92	80	TCP
2024-10-15T15:39:26.307764+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49822	104.27.206.92	80	TCP
2024-10-15T15:39:26.339356+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49821	85.214.228.140	80	TCP
2024-10-15T15:39:26.339356+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49821	85.214.228.140	80	TCP
2024-10-15T15:39:29.201995+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49825	208.100.26.245	80	TCP
2024-10-15T15:39:29.201995+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49825	208.100.26.245	80	TCP
2024-10-15T15:39:29.880511+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49827	104.19.223.79	80	TCP
2024-10-15T15:39:29.880511+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49827	104.19.223.79	80	TCP
2024-10-15T15:39:29.880511+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49827	104.19.223.79	80	TCP
2024-10-15T15:39:33.208180+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49831	104.19.223.79	80	TCP
2024-10-15T15:39:33.208180+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49831	104.19.223.79	80	TCP
2024-10-15T15:39:33.208180+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49831	104.19.223.79	80	TCP
2024-10-15T15:39:34.503486+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49833	172.67.155.175	80	TCP
2024-10-15T15:39:34.503486+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49833	172.67.155.175	80	TCP
2024-10-15T15:39:34.503486+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49833	172.67.155.175	80	TCP
2024-10-15T15:39:35.819415+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49834	104.19.223.79	80	TCP
2024-10-15T15:39:35.819415+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49834	104.19.223.79	80	TCP
2024-10-15T15:39:35.819415+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49834	104.19.223.79	80	TCP
2024-10-15T15:39:38.405222+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49838	104.27.207.92	80	TCP
2024-10-15T15:39:38.405222+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49838	104.27.207.92	80	TCP
2024-10-15T15:39:38.405222+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49838	104.27.207.92	80	TCP
2024-10-15T15:39:40.725141+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49842	172.67.155.175	80	TCP
2024-10-15T15:39:40.725141+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49842	172.67.155.175	80	TCP
2024-10-15T15:39:40.725141+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49842	172.67.155.175	80	TCP
2024-10-15T15:39:42.019421+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49843	104.27.207.92	80	TCP
2024-10-15T15:39:42.019421+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49843	104.27.207.92	80	TCP
2024-10-15T15:39:42.019421+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49843	104.27.207.92	80	TCP
2024-10-15T15:39:43.319151+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49844	104.19.223.79	80	TCP
2024-10-15T15:39:43.319151+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49844	104.19.223.79	80	TCP
2024-10-15T15:39:43.319151+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49844	104.19.223.79	80	TCP
2024-10-15T15:39:45.762930+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49848	104.27.207.92	80	TCP
2024-10-15T15:39:45.762930+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49848	104.27.207.92	80	TCP
2024-10-15T15:39:45.762930+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49848	104.27.207.92	80	TCP
2024-10-15T15:39:47.050668+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49850	104.27.207.92	80	TCP
2024-10-15T15:39:47.050668+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49850	104.27.207.92	80	TCP
2024-10-15T15:39:47.050668+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49850	104.27.207.92	80	TCP
2024-10-15T15:39:48.354841+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49851	104.19.223.79	80	TCP
2024-10-15T15:39:48.354841+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49851	104.19.223.79	80	TCP
2024-10-15T15:39:48.354841+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49851	104.19.223.79	80	TCP
2024-10-15T15:39:49.639115+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49853	104.19.223.79	80	TCP
2024-10-15T15:39:49.639115+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49853	104.19.223.79	80	TCP
2024-10-15T15:39:49.639115+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49853	104.19.223.79	80	TCP
2024-10-15T15:39:51.158491+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49855	18.64.172.225	80	TCP
2024-10-15T15:39:51.158491+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49855	18.64.172.225	80	TCP
2024-10-15T15:39:51.457160+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49856	104.27.207.92	80	TCP
2024-10-15T15:39:51.457160+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49856	104.27.207.92	80	TCP
2024-10-15T15:39:51.457160+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49856	104.27.207.92	80	TCP
2024-10-15T15:39:52.748770+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49859	172.67.155.175	80	TCP
2024-10-15T15:39:52.748770+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49859	172.67.155.175	80	TCP
2024-10-15T15:39:52.748770+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49859	172.67.155.175	80	TCP
2024-10-15T15:39:55.210914+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49861	104.27.207.92	80	TCP
2024-10-15T15:39:55.210914+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49861	104.27.207.92	80	TCP
2024-10-15T15:39:55.210914+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49861	104.27.207.92	80	TCP
2024-10-15T15:39:56.540651+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49862	104.27.207.92	80	TCP
2024-10-15T15:39:56.540651+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49862	104.27.207.92	80	TCP
2024-10-15T15:39:56.540651+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49862	104.27.207.92	80	TCP
2024-10-15T15:40:00.123881+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49867	172.67.155.175	80	TCP
2024-10-15T15:40:00.123881+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49867	172.67.155.175	80	TCP
2024-10-15T15:40:00.123881+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49867	172.67.155.175	80	TCP
2024-10-15T15:40:03.478251+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49871	172.67.155.175	80	TCP
2024-10-15T15:40:03.478251+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49871	172.67.155.175	80	TCP
2024-10-15T15:40:03.478251+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49871	172.67.155.175	80	TCP
2024-10-15T15:40:05.929226+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49875	104.27.207.92	80	TCP
2024-10-15T15:40:05.929226+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49875	104.27.207.92	80	TCP
2024-10-15T15:40:05.929226+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49875	104.27.207.92	80	TCP
2024-10-15T15:40:08.247126+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49877	104.19.223.79	80	TCP
2024-10-15T15:40:08.247126+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49877	104.19.223.79	80	TCP
2024-10-15T15:40:08.247126+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49877	104.19.223.79	80	TCP
2024-10-15T15:40:10.687194+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49880	172.67.155.175	80	TCP
2024-10-15T15:40:10.687194+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49880	172.67.155.175	80	TCP
2024-10-15T15:40:10.687194+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49880	172.67.155.175	80	TCP
2024-10-15T15:40:12.037433+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49882	104.27.207.92	80	TCP
2024-10-15T15:40:12.037433+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49882	104.27.207.92	80	TCP
2024-10-15T15:40:12.037433+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49882	104.27.207.92	80	TCP
2024-10-15T15:40:13.895775+0200	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.11.30	61373	UDP
2024-10-15T15:40:14.497426+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49885	104.27.207.92	80	TCP
2024-10-15T15:40:14.497426+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49885	104.27.207.92	80	TCP
2024-10-15T15:40:14.497426+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49885	104.27.207.92	80	TCP
2024-10-15T15:40:15.793845+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49887	104.27.207.92	80	TCP
2024-10-15T15:40:15.793845+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49887	104.27.207.92	80	TCP
2024-10-15T15:40:15.793845+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49887	104.27.207.92	80	TCP
2024-10-15T15:40:17.183166+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49889	18.64.172.225	80	TCP
2024-10-15T15:40:17.183166+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49889	18.64.172.225	80	TCP
2024-10-15T15:40:18.490635+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49892	104.27.207.92	80	TCP
2024-10-15T15:40:18.490635+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49892	104.27.207.92	80	TCP
2024-10-15T15:40:18.490635+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49892	104.27.207.92	80	TCP
2024-10-15T15:40:19.798795+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49894	172.67.155.175	80	TCP
2024-10-15T15:40:19.798795+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49894	172.67.155.175	80	TCP
2024-10-15T15:40:19.798795+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49894	172.67.155.175	80	TCP
2024-10-15T15:40:21.109031+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49896	104.19.223.79	80	TCP
2024-10-15T15:40:21.109031+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49896	104.19.223.79	80	TCP
2024-10-15T15:40:21.109031+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49896	104.19.223.79	80	TCP
2024-10-15T15:40:22.406157+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49897	104.27.207.92	80	TCP
2024-10-15T15:40:22.406157+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49897	104.27.207.92	80	TCP
2024-10-15T15:40:22.406157+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49897	104.27.207.92	80	TCP
2024-10-15T15:40:24.894183+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49901	104.27.207.92	80	TCP
2024-10-15T15:40:24.894183+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49901	104.27.207.92	80	TCP
2024-10-15T15:40:24.894183+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49901	104.27.207.92	80	TCP
2024-10-15T15:40:27.208180+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49904	104.19.223.79	80	TCP
2024-10-15T15:40:27.208180+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49904	104.19.223.79	80	TCP
2024-10-15T15:40:27.208180+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49904	104.19.223.79	80	TCP
2024-10-15T15:40:28.506677+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49905	172.67.155.175	80	TCP
2024-10-15T15:40:28.506677+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49905	172.67.155.175	80	TCP
2024-10-15T15:40:28.506677+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49905	172.67.155.175	80	TCP
2024-10-15T15:40:30.950610+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49909	172.67.155.175	80	TCP
2024-10-15T15:40:30.950610+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49909	172.67.155.175	80	TCP
2024-10-15T15:40:30.950610+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49909	172.67.155.175	80	TCP
2024-10-15T15:40:33.272161+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49913	172.67.155.175	80	TCP
2024-10-15T15:40:33.272161+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49913	172.67.155.175	80	TCP
2024-10-15T15:40:33.272161+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49913	172.67.155.175	80	TCP
2024-10-15T15:40:34.592839+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49914	172.67.155.175	80	TCP
2024-10-15T15:40:34.592839+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49914	172.67.155.175	80	TCP
2024-10-15T15:40:34.592839+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49914	172.67.155.175	80	TCP
2024-10-15T15:40:35.899228+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49915	104.27.207.92	80	TCP
2024-10-15T15:40:35.899228+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49915	104.27.207.92	80	TCP
2024-10-15T15:40:35.899228+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49915	104.27.207.92	80	TCP
2024-10-15T15:40:38.335973+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49919	104.19.223.79	80	TCP
2024-10-15T15:40:38.335973+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49919	104.19.223.79	80	TCP
2024-10-15T15:40:38.335973+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49919	104.19.223.79	80	TCP
2024-10-15T15:40:41.681987+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49924	104.19.223.79	80	TCP
2024-10-15T15:40:41.681987+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49924	104.19.223.79	80	TCP
2024-10-15T15:40:41.681987+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49924	104.19.223.79	80	TCP
2024-10-15T15:40:43.251312+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49926	151.101.128.81	80	TCP
2024-10-15T15:40:43.251312+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49926	151.101.128.81	80	TCP
2024-10-15T15:40:43.573656+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49927	172.67.155.175	80	TCP
2024-10-15T15:40:43.573656+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49927	172.67.155.175	80	TCP
2024-10-15T15:40:43.573656+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49927	172.67.155.175	80	TCP
2024-10-15T15:40:47.294589+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49932	104.27.207.92	80	TCP
2024-10-15T15:40:47.294589+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49932	104.27.207.92	80	TCP
2024-10-15T15:40:47.294589+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49932	104.27.207.92	80	TCP
2024-10-15T15:40:50.649816+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49937	104.19.223.79	80	TCP
2024-10-15T15:40:50.649816+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49937	104.19.223.79	80	TCP
2024-10-15T15:40:50.649816+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49937	104.19.223.79	80	TCP
2024-10-15T15:40:53.821856+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49941	104.19.223.79	80	TCP
2024-10-15T15:40:53.821856+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49941	104.19.223.79	80	TCP
2024-10-15T15:40:53.821856+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49941	104.19.223.79	80	TCP
2024-10-15T15:40:57.267600+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49945	172.67.155.175	80	TCP
2024-10-15T15:40:57.267600+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49945	172.67.155.175	80	TCP
2024-10-15T15:40:57.267600+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49945	172.67.155.175	80	TCP
2024-10-15T15:41:03.892130+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49954	104.19.223.79	80	TCP
2024-10-15T15:41:03.892130+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49954	104.19.223.79	80	TCP
2024-10-15T15:41:03.892130+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49954	104.19.223.79	80	TCP
2024-10-15T15:41:07.467550+0200	2803306	ETPRO MALWARE Common Downloader Header Pattern Specific Mozilla 5 HAUC	3	192.168.11.30	49959	104.19.223.79	80	TCP
2024-10-15T15:41:07.467550+0200	2803307	ETPRO MALWARE Common Downloader Header Pattern General HAUC	3	192.168.11.30	49959	104.19.223.79	80	TCP
2024-10-15T15:41:07.467550+0200	2018773	ET MALWARE Win32/Pykspa.C Public IP Check	1	192.168.11.30	49959	104.19.223.79	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 15, 2024 15:39:04.242822886 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:04.371661901 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.371860027 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:04.374111891 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:04.503093958 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.516160965 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.516304970 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.516375065 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.516447067 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.516531944 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:04.516623974 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:04.517328024 CEST	80	49799	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:04.517549038 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:04.521821976 CEST	49799	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:05.666101933 CEST	49800	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:05.795595884 CEST	80	49800	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:05.795856953 CEST	49800	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:05.798021078 CEST	49800	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:05.926664114 CEST	80	49800	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:05.944278955 CEST	80	49800	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:05.944317102 CEST	80	49800	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:05.944586039 CEST	49800	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:05.954962969 CEST	49800	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:09.251648903 CEST	49803	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:09.380289078 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.380517960 CEST	49803	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:09.382644892 CEST	49803	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:09.512250900 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.546524048 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.546600103 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.546659946 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.546756983 CEST	49803	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:09.546806097 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.546860933 CEST	80	49803	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:09.546998024 CEST	49803	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:09.552442074 CEST	49803	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.562361956 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.691015959 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.691190958 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.693607092 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.821844101 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.855709076 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.855818987 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.855833054 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.856018066 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.856065989 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.856190920 CEST	80	49804	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:10.856220961 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.856492996 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:10.874780893 CEST	49804	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:12.022248983 CEST	49805	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:12.151946068 CEST	80	49805	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:12.152265072 CEST	49805	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:12.154522896 CEST	49805	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:12.284625053 CEST	80	49805	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:12.301763058 CEST	80	49805	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:12.302201986 CEST	80	49805	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:12.302442074 CEST	49805	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:12.309391022 CEST	49805	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:17.638896942 CEST	49810	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:17.768130064 CEST	80	49810	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:17.768563032 CEST	49810	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:17.770518064 CEST	49810	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:17.902641058 CEST	80	49810	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:17.910665989 CEST	80	49810	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:17.912564039 CEST	80	49810	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:17.912786961 CEST	49810	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:17.916366100 CEST	49810	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:21.075686932 CEST	49813	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:21.204982042 CEST	80	49813	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:21.205216885 CEST	49813	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:21.207192898 CEST	49813	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:21.335750103 CEST	80	49813	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:21.357883930 CEST	80	49813	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:21.358778000 CEST	80	49813	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:21.359177113 CEST	49813	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:21.364089966 CEST	49813	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:22.372678041 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:22.500669956 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.500904083 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:22.502989054 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:22.631288052 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.660245895 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.660382986 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.660464048 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.660545111 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.660608053 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:22.660723925 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:22.662300110 CEST	80	49814	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:22.662544966 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:22.665029049 CEST	49814	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:23.850297928 CEST	49815	80	192.168.11.30	34.111.176.156
Oct 15, 2024 15:39:23.979032993 CEST	80	49815	34.111.176.156	192.168.11.30
Oct 15, 2024 15:39:23.979242086 CEST	49815	80	192.168.11.30	34.111.176.156
Oct 15, 2024 15:39:23.981647015 CEST	49815	80	192.168.11.30	34.111.176.156
Oct 15, 2024 15:39:24.110230923 CEST	80	49815	34.111.176.156	192.168.11.30
Oct 15, 2024 15:39:24.110925913 CEST	80	49815	34.111.176.156	192.168.11.30
Oct 15, 2024 15:39:24.110990047 CEST	80	49815	34.111.176.156	192.168.11.30
Oct 15, 2024 15:39:24.111157894 CEST	49815	80	192.168.11.30	34.111.176.156
Oct 15, 2024 15:39:24.113224983 CEST	49815	80	192.168.11.30	34.111.176.156
Oct 15, 2024 15:39:24.137845039 CEST	49817	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:39:24.242940903 CEST	80	49815	34.111.176.156	192.168.11.30
Oct 15, 2024 15:39:24.262157917 CEST	49818	80	192.168.11.30	35.164.78.200
Oct 15, 2024 15:39:24.453071117 CEST	49819	80	192.168.11.30	31.13.67.35
Oct 15, 2024 15:39:24.467858076 CEST	13918	49817	114.25.71.193	192.168.11.30
Oct 15, 2024 15:39:24.538863897 CEST	80	49818	35.164.78.200	192.168.11.30
Oct 15, 2024 15:39:24.539112091 CEST	49818	80	192.168.11.30	35.164.78.200
Oct 15, 2024 15:39:24.542615891 CEST	49818	80	192.168.11.30	35.164.78.200
Oct 15, 2024 15:39:24.582798958 CEST	80	49819	31.13.67.35	192.168.11.30
Oct 15, 2024 15:39:24.583039045 CEST	49819	80	192.168.11.30	31.13.67.35
Oct 15, 2024 15:39:24.588140011 CEST	49819	80	192.168.11.30	31.13.67.35
Oct 15, 2024 15:39:24.718425035 CEST	80	49819	31.13.67.35	192.168.11.30
Oct 15, 2024 15:39:24.718518972 CEST	80	49819	31.13.67.35	192.168.11.30
Oct 15, 2024 15:39:24.718626022 CEST	80	49819	31.13.67.35	192.168.11.30
Oct 15, 2024 15:39:24.718813896 CEST	49819	80	192.168.11.30	31.13.67.35
Oct 15, 2024 15:39:24.720505953 CEST	49819	80	192.168.11.30	31.13.67.35
Oct 15, 2024 15:39:24.722729921 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:24.819224119 CEST	80	49818	35.164.78.200	192.168.11.30
Oct 15, 2024 15:39:24.819334030 CEST	80	49818	35.164.78.200	192.168.11.30
Oct 15, 2024 15:39:24.819726944 CEST	80	49818	35.164.78.200	192.168.11.30
Oct 15, 2024 15:39:24.820055008 CEST	49818	80	192.168.11.30	35.164.78.200
Oct 15, 2024 15:39:24.823591948 CEST	49818	80	192.168.11.30	35.164.78.200
Oct 15, 2024 15:39:24.850197077 CEST	80	49819	31.13.67.35	192.168.11.30
Oct 15, 2024 15:39:24.851749897 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:24.852818966 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:24.855096102 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:24.978293896 CEST	49817	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:39:24.983392954 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:25.000981092 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:25.001034975 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:25.001058102 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:25.001080036 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:25.001188040 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:25.001188040 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:25.002053976 CEST	80	49820	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:25.002193928 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:25.012926102 CEST	49820	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:25.100253105 CEST	80	49818	35.164.78.200	192.168.11.30
Oct 15, 2024 15:39:25.305879116 CEST	13918	49817	114.25.71.193	192.168.11.30
Oct 15, 2024 15:39:25.806216002 CEST	49817	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:39:25.814349890 CEST	49821	80	192.168.11.30	85.214.228.140
Oct 15, 2024 15:39:26.027127028 CEST	49822	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:26.074188948 CEST	80	49821	85.214.228.140	192.168.11.30
Oct 15, 2024 15:39:26.074388027 CEST	49821	80	192.168.11.30	85.214.228.140
Oct 15, 2024 15:39:26.076550007 CEST	49821	80	192.168.11.30	85.214.228.140
Oct 15, 2024 15:39:26.134969950 CEST	13918	49817	114.25.71.193	192.168.11.30
Oct 15, 2024 15:39:26.156415939 CEST	80	49822	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:26.156553984 CEST	49822	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:26.159084082 CEST	49822	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:26.288374901 CEST	80	49822	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:26.307447910 CEST	80	49822	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:26.307601929 CEST	80	49822	104.27.206.92	192.168.11.30
Oct 15, 2024 15:39:26.307764053 CEST	49822	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:26.314801931 CEST	49822	80	192.168.11.30	104.27.206.92
Oct 15, 2024 15:39:26.338108063 CEST	80	49821	85.214.228.140	192.168.11.30
Oct 15, 2024 15:39:26.339117050 CEST	80	49821	85.214.228.140	192.168.11.30
Oct 15, 2024 15:39:26.339226961 CEST	80	49821	85.214.228.140	192.168.11.30
Oct 15, 2024 15:39:26.339355946 CEST	49821	80	192.168.11.30	85.214.228.140
Oct 15, 2024 15:39:26.340445995 CEST	49821	80	192.168.11.30	85.214.228.140
Oct 15, 2024 15:39:26.649796009 CEST	49817	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:39:26.978795052 CEST	13918	49817	114.25.71.193	192.168.11.30
Oct 15, 2024 15:39:27.493376017 CEST	49817	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:39:27.822752953 CEST	13918	49817	114.25.71.193	192.168.11.30
Oct 15, 2024 15:39:28.873507023 CEST	49825	80	192.168.11.30	208.100.26.245
Oct 15, 2024 15:39:29.015845060 CEST	49826	22027	192.168.11.30	178.90.73.188
Oct 15, 2024 15:39:29.031713963 CEST	80	49825	208.100.26.245	192.168.11.30
Oct 15, 2024 15:39:29.031924009 CEST	49825	80	192.168.11.30	208.100.26.245
Oct 15, 2024 15:39:29.034244061 CEST	49825	80	192.168.11.30	208.100.26.245
Oct 15, 2024 15:39:29.201381922 CEST	80	49825	208.100.26.245	192.168.11.30
Oct 15, 2024 15:39:29.201827049 CEST	80	49825	208.100.26.245	192.168.11.30
Oct 15, 2024 15:39:29.201848984 CEST	80	49825	208.100.26.245	192.168.11.30
Oct 15, 2024 15:39:29.201994896 CEST	49825	80	192.168.11.30	208.100.26.245
Oct 15, 2024 15:39:29.203644991 CEST	49825	80	192.168.11.30	208.100.26.245
Oct 15, 2024 15:39:29.350341082 CEST	22027	49826	178.90.73.188	192.168.11.30
Oct 15, 2024 15:39:29.606262922 CEST	49827	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:29.734359980 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.734498024 CEST	49827	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:29.736737013 CEST	49827	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:29.852154016 CEST	49826	22027	192.168.11.30	178.90.73.188
Oct 15, 2024 15:39:29.864798069 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.880258083 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.880287886 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.880307913 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.880330086 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.880511045 CEST	49827	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:29.880625963 CEST	80	49827	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:29.880769014 CEST	49827	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:29.886435986 CEST	49827	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:30.190551043 CEST	22027	49826	178.90.73.188	192.168.11.30
Oct 15, 2024 15:39:30.419259071 CEST	49828	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:30.622585058 CEST	80	49828	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:30.695703983 CEST	49826	22027	192.168.11.30	178.90.73.188
Oct 15, 2024 15:39:31.032820940 CEST	22027	49826	178.90.73.188	192.168.11.30
Oct 15, 2024 15:39:31.133115053 CEST	49828	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:31.334639072 CEST	80	49828	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:31.539266109 CEST	49826	22027	192.168.11.30	178.90.73.188
Oct 15, 2024 15:39:31.836106062 CEST	49828	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:31.873452902 CEST	22027	49826	178.90.73.188	192.168.11.30
Oct 15, 2024 15:39:32.037581921 CEST	80	49828	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:32.382828951 CEST	49826	22027	192.168.11.30	178.90.73.188
Oct 15, 2024 15:39:32.539073944 CEST	49828	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:32.717015028 CEST	22027	49826	178.90.73.188	192.168.11.30
Oct 15, 2024 15:39:32.740537882 CEST	80	49828	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:32.932266951 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.061413050 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.061613083 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.064106941 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.192878962 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.207948923 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.207993031 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.208008051 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.208139896 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.208179951 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.208344936 CEST	80	49831	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:33.208795071 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.208795071 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.215476036 CEST	49831	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:33.242012024 CEST	49828	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:33.443288088 CEST	80	49828	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:33.897181034 CEST	49832	41100	192.168.11.30	89.215.115.4
Oct 15, 2024 15:39:34.228988886 CEST	49833	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:34.357969046 CEST	80	49833	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:34.358187914 CEST	49833	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:34.361063004 CEST	49833	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:34.489459038 CEST	80	49833	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:34.503163099 CEST	80	49833	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:34.503340006 CEST	80	49833	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:34.503485918 CEST	49833	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:34.514848948 CEST	49833	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:34.897883892 CEST	49832	41100	192.168.11.30	89.215.115.4
Oct 15, 2024 15:39:35.525268078 CEST	49834	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:35.653934002 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.654109955 CEST	49834	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:35.656472921 CEST	49834	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:35.785623074 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.819214106 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.819267035 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.819415092 CEST	49834	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:35.819942951 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.820050001 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.820070028 CEST	80	49834	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:35.820250034 CEST	49834	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:35.824384928 CEST	49834	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:36.418750048 CEST	49836	445	192.168.11.30	192.168.11.2
Oct 15, 2024 15:39:36.913079977 CEST	49832	41100	192.168.11.30	89.215.115.4
Oct 15, 2024 15:39:37.428540945 CEST	49836	445	192.168.11.30	192.168.11.2
Oct 15, 2024 15:39:38.107388973 CEST	49838	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:38.238141060 CEST	80	49838	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:38.238390923 CEST	49838	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:38.240591049 CEST	49838	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:38.368957996 CEST	80	49838	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:38.405069113 CEST	80	49838	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:38.405095100 CEST	80	49838	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:38.405221939 CEST	49838	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:38.411865950 CEST	49838	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:39.443722963 CEST	49836	445	192.168.11.30	192.168.11.2
Oct 15, 2024 15:39:40.087851048 CEST	49840	33325	192.168.11.30	41.47.39.184
Oct 15, 2024 15:39:40.428386927 CEST	49841	445	192.168.11.30	192.168.11.3
Oct 15, 2024 15:39:40.430876970 CEST	49842	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:40.560193062 CEST	80	49842	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:40.560386896 CEST	49842	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:40.562753916 CEST	49842	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:40.691701889 CEST	80	49842	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:40.723990917 CEST	80	49842	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:40.724991083 CEST	80	49842	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:40.725141048 CEST	49842	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:40.731420040 CEST	49842	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:41.099581003 CEST	49840	33325	192.168.11.30	41.47.39.184
Oct 15, 2024 15:39:41.427649975 CEST	49841	445	192.168.11.30	192.168.11.3
Oct 15, 2024 15:39:41.742388964 CEST	49843	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:41.871525049 CEST	80	49843	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:41.871682882 CEST	49843	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:41.874092102 CEST	49843	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:42.003355026 CEST	80	49843	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:42.018630981 CEST	80	49843	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:42.019290924 CEST	80	49843	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:42.019421101 CEST	49843	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:42.026349068 CEST	49843	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:43.039022923 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.114700079 CEST	49840	33325	192.168.11.30	41.47.39.184
Oct 15, 2024 15:39:43.168188095 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.168874025 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.171327114 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.299724102 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.318856955 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.318959951 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.319073915 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.319150925 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.319186926 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.319351912 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.319988012 CEST	80	49844	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:43.320138931 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.324120045 CEST	49844	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:43.442828894 CEST	49841	445	192.168.11.30	192.168.11.3
Oct 15, 2024 15:39:44.442871094 CEST	49845	445	192.168.11.30	192.168.11.4
Oct 15, 2024 15:39:45.292699099 CEST	49847	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:45.457936049 CEST	49845	445	192.168.11.30	192.168.11.4
Oct 15, 2024 15:39:45.476301908 CEST	49848	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:45.495054960 CEST	80	49847	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:45.606981039 CEST	80	49848	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:45.607237101 CEST	49848	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:45.609272003 CEST	49848	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:45.738652945 CEST	80	49848	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:45.757122993 CEST	80	49848	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:45.762929916 CEST	49848	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:45.763927937 CEST	80	49848	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:45.764027119 CEST	49848	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:46.004750967 CEST	49847	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:46.208110094 CEST	80	49847	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:46.284784079 CEST	49849	29925	192.168.11.30	85.217.219.168
Oct 15, 2024 15:39:46.723299026 CEST	49847	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:46.772892952 CEST	49850	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:46.901905060 CEST	80	49850	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:46.902062893 CEST	49850	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:46.904325008 CEST	49850	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:46.925785065 CEST	80	49847	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:47.034538984 CEST	80	49850	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:47.050240040 CEST	80	49850	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:47.050542116 CEST	80	49850	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:47.050668001 CEST	49850	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:47.059210062 CEST	49850	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:47.285729885 CEST	49849	29925	192.168.11.30	85.217.219.168
Oct 15, 2024 15:39:47.426309109 CEST	49847	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:47.473192930 CEST	49845	445	192.168.11.30	192.168.11.4
Oct 15, 2024 15:39:47.628381014 CEST	80	49847	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:48.069602013 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.129298925 CEST	49847	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:48.198445082 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.198638916 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.200788975 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.328577042 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.331372976 CEST	80	49847	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:48.354157925 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.354233980 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.354248047 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.354599953 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.354840994 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.354917049 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.355179071 CEST	80	49851	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:48.355395079 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.361996889 CEST	49851	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:48.457583904 CEST	49852	445	192.168.11.30	192.168.11.5
Oct 15, 2024 15:39:49.300862074 CEST	49849	29925	192.168.11.30	85.217.219.168
Oct 15, 2024 15:39:49.366061926 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:49.472743034 CEST	49852	445	192.168.11.30	192.168.11.5
Oct 15, 2024 15:39:49.494848967 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.495037079 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:49.497767925 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:49.626017094 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.638871908 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.638951063 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.639115095 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:49.639137030 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.639149904 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.639324903 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:49.645541906 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:49.646094084 CEST	80	49853	104.19.223.79	192.168.11.30
Oct 15, 2024 15:39:49.646306038 CEST	49853	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:39:50.354988098 CEST	49854	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:50.568675041 CEST	80	49854	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:50.899072886 CEST	49855	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:39:51.027369976 CEST	80	49855	18.64.172.225	192.168.11.30
Oct 15, 2024 15:39:51.027606964 CEST	49855	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:39:51.029612064 CEST	49855	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:39:51.081727982 CEST	49854	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:51.157974958 CEST	80	49855	18.64.172.225	192.168.11.30
Oct 15, 2024 15:39:51.158106089 CEST	80	49855	18.64.172.225	192.168.11.30
Oct 15, 2024 15:39:51.158221960 CEST	80	49855	18.64.172.225	192.168.11.30
Oct 15, 2024 15:39:51.158490896 CEST	49855	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:39:51.162462950 CEST	49855	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:39:51.164804935 CEST	49856	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:51.292757988 CEST	80	49856	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:51.293109894 CEST	49856	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:51.295389891 CEST	80	49854	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:51.296087027 CEST	49856	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:51.423764944 CEST	80	49856	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:51.456424952 CEST	80	49856	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:51.457005978 CEST	80	49856	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:51.457159996 CEST	49856	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:51.463599920 CEST	49856	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:51.487900019 CEST	49852	445	192.168.11.30	192.168.11.5
Oct 15, 2024 15:39:51.800342083 CEST	49854	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:52.015794992 CEST	80	49854	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:52.472345114 CEST	49857	445	192.168.11.30	192.168.11.6
Oct 15, 2024 15:39:52.473179102 CEST	49858	31946	192.168.11.30	212.75.9.215
Oct 15, 2024 15:39:52.475081921 CEST	49859	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:52.518887043 CEST	49854	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:52.603892088 CEST	80	49859	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:52.604681969 CEST	49859	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:52.607188940 CEST	49859	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:52.735127926 CEST	80	49854	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:52.735986948 CEST	80	49859	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:52.748456001 CEST	80	49859	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:52.748544931 CEST	80	49859	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:52.748769999 CEST	49859	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:52.756284952 CEST	49859	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:53.237521887 CEST	49854	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:39:53.451261044 CEST	80	49854	162.249.65.164	192.168.11.30
Oct 15, 2024 15:39:53.471812963 CEST	49857	445	192.168.11.30	192.168.11.6
Oct 15, 2024 15:39:53.487457037 CEST	49858	31946	192.168.11.30	212.75.9.215
Oct 15, 2024 15:39:54.911619902 CEST	49861	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:55.040353060 CEST	80	49861	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:55.040518999 CEST	49861	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:55.045187950 CEST	49861	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:55.172940016 CEST	80	49861	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:55.210267067 CEST	80	49861	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:55.210788965 CEST	80	49861	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:55.210913897 CEST	49861	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:55.224811077 CEST	49861	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:55.486978054 CEST	49857	445	192.168.11.30	192.168.11.6
Oct 15, 2024 15:39:55.502607107 CEST	49858	31946	192.168.11.30	212.75.9.215
Oct 15, 2024 15:39:56.241789103 CEST	49862	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:56.370059013 CEST	80	49862	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:56.370381117 CEST	49862	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:56.372972012 CEST	49862	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:56.486964941 CEST	49863	445	192.168.11.30	192.168.11.7
Oct 15, 2024 15:39:56.501229048 CEST	80	49862	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:56.539766073 CEST	80	49862	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:56.540019035 CEST	80	49862	104.27.207.92	192.168.11.30
Oct 15, 2024 15:39:56.540651083 CEST	49862	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:56.546777010 CEST	49862	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:39:57.502129078 CEST	49863	445	192.168.11.30	192.168.11.7
Oct 15, 2024 15:39:58.688746929 CEST	49865	31946	192.168.11.30	212.75.9.215
Oct 15, 2024 15:39:59.501657963 CEST	49863	445	192.168.11.30	192.168.11.7
Oct 15, 2024 15:39:59.689119101 CEST	49865	31946	192.168.11.30	212.75.9.215
Oct 15, 2024 15:39:59.848292112 CEST	49867	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:59.978533030 CEST	80	49867	172.67.155.175	192.168.11.30
Oct 15, 2024 15:39:59.979017973 CEST	49867	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:39:59.981961966 CEST	49867	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:00.110265970 CEST	80	49867	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:00.122845888 CEST	80	49867	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:00.123739958 CEST	80	49867	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:00.123881102 CEST	49867	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:00.132066011 CEST	49867	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:00.501735926 CEST	49868	445	192.168.11.30	192.168.11.8
Oct 15, 2024 15:40:01.516844988 CEST	49868	445	192.168.11.30	192.168.11.8
Oct 15, 2024 15:40:01.704269886 CEST	49865	31946	192.168.11.30	212.75.9.215
Oct 15, 2024 15:40:03.175843954 CEST	49871	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:03.304214001 CEST	80	49871	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:03.304546118 CEST	49871	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:03.307537079 CEST	49871	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:03.436366081 CEST	80	49871	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:03.478085995 CEST	80	49871	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:03.478125095 CEST	80	49871	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:03.478250980 CEST	49871	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:03.490298033 CEST	49871	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:03.532015085 CEST	49868	445	192.168.11.30	192.168.11.8
Oct 15, 2024 15:40:04.516371965 CEST	49872	445	192.168.11.30	192.168.11.9
Oct 15, 2024 15:40:04.879949093 CEST	49874	18849	192.168.11.30	46.159.134.7
Oct 15, 2024 15:40:05.515908957 CEST	49872	445	192.168.11.30	192.168.11.9
Oct 15, 2024 15:40:05.644555092 CEST	49875	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:05.773147106 CEST	80	49875	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:05.773294926 CEST	49875	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:05.776717901 CEST	49875	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:05.890805006 CEST	49874	18849	192.168.11.30	46.159.134.7
Oct 15, 2024 15:40:05.905503988 CEST	80	49875	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:05.927970886 CEST	80	49875	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:05.928766012 CEST	80	49875	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:05.929225922 CEST	49875	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:05.940365076 CEST	49875	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:07.531025887 CEST	49872	445	192.168.11.30	192.168.11.9
Oct 15, 2024 15:40:07.890552044 CEST	49874	18849	192.168.11.30	46.159.134.7
Oct 15, 2024 15:40:07.973294973 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.101823092 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.102085114 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.105302095 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.233725071 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.246814966 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.246869087 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.246922970 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.246948957 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.247088909 CEST	80	49877	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:08.247126102 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.247288942 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.247288942 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.257025003 CEST	49877	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:08.531095028 CEST	49878	445	192.168.11.30	192.168.11.10
Oct 15, 2024 15:40:09.546248913 CEST	49878	445	192.168.11.30	192.168.11.10
Oct 15, 2024 15:40:10.409095049 CEST	49880	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:10.537431955 CEST	80	49880	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:10.537872076 CEST	49880	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:10.541316986 CEST	49880	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:10.678776979 CEST	80	49880	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:10.686429024 CEST	80	49880	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:10.686764002 CEST	80	49880	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:10.687194109 CEST	49880	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:10.702792883 CEST	49880	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:11.083128929 CEST	49881	44785	192.168.11.30	188.114.42.197
Oct 15, 2024 15:40:11.545799971 CEST	49878	445	192.168.11.30	192.168.11.10
Oct 15, 2024 15:40:11.722256899 CEST	49882	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:11.850775003 CEST	80	49882	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:11.850940943 CEST	49882	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:11.856653929 CEST	49882	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:11.985117912 CEST	80	49882	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:12.037065029 CEST	80	49882	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:12.037245035 CEST	80	49882	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:12.037432909 CEST	49882	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:12.050602913 CEST	49882	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:12.092513084 CEST	49881	44785	192.168.11.30	188.114.42.197
Oct 15, 2024 15:40:12.545773983 CEST	49883	445	192.168.11.30	192.168.11.11
Oct 15, 2024 15:40:13.560956955 CEST	49883	445	192.168.11.30	192.168.11.11
Oct 15, 2024 15:40:14.107706070 CEST	49881	44785	192.168.11.30	188.114.42.197
Oct 15, 2024 15:40:14.220544100 CEST	49885	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:14.348931074 CEST	80	49885	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:14.349093914 CEST	49885	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:14.352721930 CEST	49885	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:14.480750084 CEST	80	49885	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:14.494254112 CEST	49886	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:14.497003078 CEST	80	49885	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:14.497329950 CEST	80	49885	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:14.497426033 CEST	49885	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:14.512298107 CEST	49885	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:14.695991993 CEST	80	49886	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:15.201173067 CEST	49886	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:15.403404951 CEST	80	49886	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:15.517148972 CEST	49887	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:15.576096058 CEST	49883	445	192.168.11.30	192.168.11.11
Oct 15, 2024 15:40:15.645517111 CEST	80	49887	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:15.646542072 CEST	49887	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:15.648714066 CEST	49887	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:15.776463032 CEST	80	49887	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:15.792668104 CEST	80	49887	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:15.793620110 CEST	80	49887	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:15.793844938 CEST	49887	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:15.806284904 CEST	49887	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:15.904851913 CEST	49886	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:16.108640909 CEST	80	49886	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:16.560482025 CEST	49888	445	192.168.11.30	192.168.11.12
Oct 15, 2024 15:40:16.622711897 CEST	49886	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:16.824466944 CEST	80	49886	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:16.920020103 CEST	49889	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:40:17.049652100 CEST	80	49889	18.64.172.225	192.168.11.30
Oct 15, 2024 15:40:17.049854040 CEST	49889	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:40:17.054218054 CEST	49889	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:40:17.182813883 CEST	80	49889	18.64.172.225	192.168.11.30
Oct 15, 2024 15:40:17.182926893 CEST	80	49889	18.64.172.225	192.168.11.30
Oct 15, 2024 15:40:17.182940006 CEST	80	49889	18.64.172.225	192.168.11.30
Oct 15, 2024 15:40:17.183166027 CEST	49889	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:40:17.191081047 CEST	49889	80	192.168.11.30	18.64.172.225
Oct 15, 2024 15:40:17.290194035 CEST	49891	40089	192.168.11.30	89.215.35.152
Oct 15, 2024 15:40:17.325751066 CEST	49886	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:17.528079987 CEST	80	49886	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:17.575743914 CEST	49888	445	192.168.11.30	192.168.11.12
Oct 15, 2024 15:40:18.203552008 CEST	49892	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:18.294254065 CEST	49891	40089	192.168.11.30	89.215.35.152
Oct 15, 2024 15:40:18.332952976 CEST	80	49892	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:18.333220959 CEST	49892	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:18.336213112 CEST	49892	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:18.465338945 CEST	80	49892	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:18.490449905 CEST	80	49892	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:18.490473032 CEST	80	49892	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:18.490634918 CEST	49892	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:18.502999067 CEST	49892	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:19.051841974 CEST	49893	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:19.252926111 CEST	80	49893	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:19.516144991 CEST	49894	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:19.590832949 CEST	49888	445	192.168.11.30	192.168.11.12
Oct 15, 2024 15:40:19.644665003 CEST	80	49894	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:19.644859076 CEST	49894	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:19.648307085 CEST	49894	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:19.762655020 CEST	49893	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:19.776325941 CEST	80	49894	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:19.797949076 CEST	80	49894	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:19.798610926 CEST	80	49894	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:19.798794985 CEST	49894	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:19.813745975 CEST	49894	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:19.963759899 CEST	80	49893	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:20.309434891 CEST	49891	40089	192.168.11.30	89.215.35.152
Oct 15, 2024 15:40:20.465607882 CEST	49893	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:20.575269938 CEST	49895	445	192.168.11.30	192.168.11.13
Oct 15, 2024 15:40:20.669492960 CEST	80	49893	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:20.834758997 CEST	49896	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:20.963268995 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:20.963516951 CEST	49896	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:20.967335939 CEST	49896	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:21.095997095 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:21.108386040 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:21.108458996 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:21.108761072 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:21.109030962 CEST	49896	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:21.109281063 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:21.109302044 CEST	80	49896	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:21.109450102 CEST	49896	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:21.119318008 CEST	49896	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:21.184201956 CEST	49893	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:21.385927916 CEST	80	49893	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:21.590353966 CEST	49895	445	192.168.11.30	192.168.11.13
Oct 15, 2024 15:40:21.887203932 CEST	49893	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:22.089360952 CEST	80	49893	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:22.126523972 CEST	49897	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:22.255402088 CEST	80	49897	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:22.255614996 CEST	49897	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:22.258682966 CEST	49897	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:22.390142918 CEST	80	49897	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:22.404212952 CEST	80	49897	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:22.405960083 CEST	80	49897	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:22.406157017 CEST	49897	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:22.419636011 CEST	49897	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:23.485656023 CEST	49898	33325	192.168.11.30	41.47.39.184
Oct 15, 2024 15:40:23.589951038 CEST	49895	445	192.168.11.30	192.168.11.13
Oct 15, 2024 15:40:24.495939970 CEST	49898	33325	192.168.11.30	41.47.39.184
Oct 15, 2024 15:40:24.590101004 CEST	49900	445	192.168.11.30	192.168.11.14
Oct 15, 2024 15:40:24.610225916 CEST	49901	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:24.738631010 CEST	80	49901	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:24.738809109 CEST	49901	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:24.741761923 CEST	49901	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:24.870161057 CEST	80	49901	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:24.893861055 CEST	80	49901	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:24.893959999 CEST	80	49901	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:24.894182920 CEST	49901	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:24.905704975 CEST	49901	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:25.605117083 CEST	49900	445	192.168.11.30	192.168.11.14
Oct 15, 2024 15:40:25.695162058 CEST	49902	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:25.897883892 CEST	80	49902	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:26.401757002 CEST	49902	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:26.511075020 CEST	49898	33325	192.168.11.30	41.47.39.184
Oct 15, 2024 15:40:26.603148937 CEST	80	49902	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:26.936161041 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.064369917 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.064604044 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.067579031 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.104789019 CEST	49902	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:27.202105045 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.207514048 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.207623005 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.207746029 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.207761049 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.208031893 CEST	80	49904	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:27.208179951 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.208179951 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.208256006 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.218370914 CEST	49904	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:27.306066036 CEST	80	49902	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:27.620203018 CEST	49900	445	192.168.11.30	192.168.11.14
Oct 15, 2024 15:40:27.807703018 CEST	49902	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:28.010415077 CEST	80	49902	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:28.233128071 CEST	49905	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:28.361496925 CEST	80	49905	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:28.361843109 CEST	49905	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:28.365048885 CEST	49905	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:28.493330956 CEST	80	49905	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:28.505347967 CEST	80	49905	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:28.506426096 CEST	80	49905	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:28.506676912 CEST	49905	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:28.519556046 CEST	49905	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:28.526294947 CEST	49902	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:28.604744911 CEST	49906	445	192.168.11.30	192.168.11.15
Oct 15, 2024 15:40:28.728204966 CEST	80	49902	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:29.619858980 CEST	49906	445	192.168.11.30	192.168.11.15
Oct 15, 2024 15:40:29.675721884 CEST	49908	19742	192.168.11.30	78.63.102.38
Oct 15, 2024 15:40:30.672919989 CEST	49909	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:30.682037115 CEST	49908	19742	192.168.11.30	78.63.102.38
Oct 15, 2024 15:40:30.801563025 CEST	80	49909	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:30.801887989 CEST	49909	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:30.806879997 CEST	49909	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:30.934912920 CEST	80	49909	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:30.950052977 CEST	80	49909	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:30.950367928 CEST	80	49909	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:30.950609922 CEST	49909	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:30.965195894 CEST	49909	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:31.634937048 CEST	49906	445	192.168.11.30	192.168.11.15
Oct 15, 2024 15:40:32.418355942 CEST	49911	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:32.632318020 CEST	80	49911	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:32.697174072 CEST	49908	19742	192.168.11.30	78.63.102.38
Oct 15, 2024 15:40:32.998012066 CEST	49913	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:33.126249075 CEST	80	49913	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:33.127402067 CEST	49913	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:33.130750895 CEST	49913	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:33.134577990 CEST	49911	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:33.259711981 CEST	80	49913	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:33.271306992 CEST	80	49913	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:33.271811962 CEST	80	49913	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:33.272161007 CEST	49913	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:33.293090105 CEST	49913	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:33.348771095 CEST	80	49911	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:33.853199959 CEST	49911	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:34.067285061 CEST	80	49911	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:34.309485912 CEST	49914	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:34.437915087 CEST	80	49914	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:34.438175917 CEST	49914	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:34.442751884 CEST	49914	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:34.571085930 CEST	80	49914	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:34.571763992 CEST	49911	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:34.592084885 CEST	80	49914	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:34.592530966 CEST	80	49914	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:34.592839003 CEST	49914	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:34.610987902 CEST	49914	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:34.785897970 CEST	80	49911	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:35.290355921 CEST	49911	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:35.504271030 CEST	80	49911	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:35.622271061 CEST	49915	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:35.751477957 CEST	80	49915	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:35.751744032 CEST	49915	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:35.754916906 CEST	49915	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:35.884186029 CEST	80	49915	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:35.898957968 CEST	80	49915	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:35.899029016 CEST	80	49915	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:35.899228096 CEST	49915	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:35.913707972 CEST	49915	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:38.062464952 CEST	49919	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:38.190438986 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.190711021 CEST	49919	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:38.194983959 CEST	49919	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:38.323251009 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.335241079 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.335702896 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.335825920 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.335880995 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.335891962 CEST	80	49919	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:38.335973024 CEST	49919	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:38.336169004 CEST	49919	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:38.354125023 CEST	49919	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:38.957122087 CEST	49920	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:39.159008980 CEST	80	49920	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:39.664392948 CEST	49920	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:39.866513968 CEST	80	49920	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:40.382961035 CEST	49920	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:40.584851980 CEST	80	49920	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:41.085908890 CEST	49920	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:41.287631035 CEST	80	49920	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:41.403923035 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.532449961 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.532710075 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.536031961 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.663927078 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.681519985 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.681618929 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.681668043 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.681732893 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.681987047 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.682049036 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.682761908 CEST	80	49924	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:41.683053017 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.694792986 CEST	49924	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:41.788882017 CEST	49920	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:41.994664907 CEST	80	49920	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:43.293477058 CEST	49927	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:43.422486067 CEST	80	49927	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:43.422749996 CEST	49927	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:43.426250935 CEST	49927	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:43.554603100 CEST	80	49927	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:43.570031881 CEST	80	49927	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:43.573508978 CEST	80	49927	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:43.573656082 CEST	49927	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:43.585114002 CEST	49927	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:45.924237013 CEST	49930	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:46.128209114 CEST	80	49930	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:46.631525993 CEST	49930	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:46.833122969 CEST	80	49930	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:47.010205030 CEST	49932	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:47.140970945 CEST	80	49932	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:47.141237020 CEST	49932	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:47.146018982 CEST	49932	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:47.274697065 CEST	80	49932	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:47.292885065 CEST	80	49932	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:47.294234037 CEST	80	49932	104.27.207.92	192.168.11.30
Oct 15, 2024 15:40:47.294589043 CEST	49932	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:47.309297085 CEST	49932	80	192.168.11.30	104.27.207.92
Oct 15, 2024 15:40:47.334448099 CEST	49930	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:47.536256075 CEST	80	49930	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:48.037470102 CEST	49930	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:48.239356041 CEST	80	49930	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:48.740437984 CEST	49930	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:40:48.942332983 CEST	80	49930	162.249.65.164	192.168.11.30
Oct 15, 2024 15:40:50.353879929 CEST	49937	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:50.481920958 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.482215881 CEST	49937	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:50.485524893 CEST	49937	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:50.648899078 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.649286985 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.649399996 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.649415016 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.649532080 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.649545908 CEST	80	49937	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:50.649816036 CEST	49937	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:50.662672997 CEST	49937	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:53.539177895 CEST	49941	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:53.668402910 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.668715954 CEST	49941	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:53.671242952 CEST	49941	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:53.799982071 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.821479082 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.821572065 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.821587086 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.821599007 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.821680069 CEST	80	49941	104.19.223.79	192.168.11.30
Oct 15, 2024 15:40:53.821856022 CEST	49941	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:53.824141026 CEST	49941	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:40:56.991347075 CEST	49945	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:57.119956970 CEST	80	49945	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:57.120141029 CEST	49945	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:57.122663021 CEST	49945	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:57.250916004 CEST	80	49945	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:57.265491962 CEST	80	49945	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:57.267409086 CEST	80	49945	172.67.155.175	192.168.11.30
Oct 15, 2024 15:40:57.267600060 CEST	49945	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:40:57.268260956 CEST	49945	80	192.168.11.30	172.67.155.175
Oct 15, 2024 15:41:02.234954119 CEST	49952	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:02.437025070 CEST	80	49952	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:02.940395117 CEST	49952	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:03.143452883 CEST	80	49952	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:03.614875078 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:03.658982038 CEST	49952	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:03.743704081 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.743835926 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:03.746777058 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:03.861299992 CEST	80	49952	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:03.875401974 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.891834021 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.891918898 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.891963959 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.892040014 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.892129898 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:03.892340899 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:03.892838001 CEST	80	49954	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:03.893058062 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:03.894483089 CEST	49954	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:04.361931086 CEST	49952	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:04.563994884 CEST	80	49952	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:05.064825058 CEST	49952	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:05.111841917 CEST	49957	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:41:05.267358065 CEST	80	49952	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:05.440139055 CEST	13918	49957	114.25.71.193	192.168.11.30
Oct 15, 2024 15:41:05.955301046 CEST	49957	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:41:06.282886982 CEST	13918	49957	114.25.71.193	192.168.11.30
Oct 15, 2024 15:41:06.783267021 CEST	49957	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:41:07.110690117 CEST	13918	49957	114.25.71.193	192.168.11.30
Oct 15, 2024 15:41:07.192208052 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.320517063 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.320739985 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.323862076 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.452347994 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.467257977 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.467370033 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.467385054 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.467396975 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.467550039 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.467583895 CEST	80	49959	104.19.223.79	192.168.11.30
Oct 15, 2024 15:41:07.467597961 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.467816114 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.470329046 CEST	49959	80	192.168.11.30	104.19.223.79
Oct 15, 2024 15:41:07.611141920 CEST	49957	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:41:07.937525034 CEST	13918	49957	114.25.71.193	192.168.11.30
Oct 15, 2024 15:41:08.439136982 CEST	49957	13918	192.168.11.30	114.25.71.193
Oct 15, 2024 15:41:08.765667915 CEST	13918	49957	114.25.71.193	192.168.11.30
Oct 15, 2024 15:41:09.813121080 CEST	49961	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:09.876389027 CEST	49962	40089	192.168.11.30	89.215.35.152
Oct 15, 2024 15:41:10.027199984 CEST	80	49961	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:10.532490015 CEST	49961	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:10.746274948 CEST	80	49961	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:10.891590118 CEST	49962	40089	192.168.11.30	89.215.35.152
Oct 15, 2024 15:41:11.250894070 CEST	49961	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:11.464401007 CEST	80	49961	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:11.969544888 CEST	49961	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:12.183643103 CEST	80	49961	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:12.688220024 CEST	49961	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:12.901807070 CEST	80	49961	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:12.906877995 CEST	49962	40089	192.168.11.30	89.215.35.152
Oct 15, 2024 15:41:18.443964958 CEST	49966	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:18.646018028 CEST	80	49966	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:19.155430079 CEST	49966	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:19.357959986 CEST	80	49966	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:19.858392000 CEST	49966	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:20.060724974 CEST	80	49966	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:20.576951981 CEST	49966	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:20.779465914 CEST	80	49966	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:21.279953003 CEST	49966	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:21.482492924 CEST	80	49966	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:22.155035973 CEST	49968	29925	192.168.11.30	85.217.219.168
Oct 15, 2024 15:41:23.170075893 CEST	49968	29925	192.168.11.30	85.217.219.168
Oct 15, 2024 15:41:23.313538074 CEST	49969	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:23.514561892 CEST	80	49969	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:24.029301882 CEST	49969	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:24.231836081 CEST	80	49969	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:24.732232094 CEST	49969	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:24.934084892 CEST	80	49969	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:25.185353041 CEST	49968	29925	192.168.11.30	85.217.219.168
Oct 15, 2024 15:41:25.435211897 CEST	49969	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:25.636723042 CEST	80	49969	162.249.65.164	192.168.11.30
Oct 15, 2024 15:41:26.138214111 CEST	49969	80	192.168.11.30	162.249.65.164
Oct 15, 2024 15:41:26.339251041 CEST	80	49969	162.249.65.164	192.168.11.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 15, 2024 15:38:40.414622068 CEST	49455	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:38:40.543474913 CEST	53	49455	1.1.1.1	192.168.11.30
Oct 15, 2024 15:38:58.442030907 CEST	58455	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:38:58.691678047 CEST	53	58455	1.1.1.1	192.168.11.30
Oct 15, 2024 15:38:59.711370945 CEST	57464	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:00.056958914 CEST	53	57464	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:04.110301971 CEST	61364	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:04.240602970 CEST	53	61364	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:05.532372952 CEST	54229	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:05.665496111 CEST	53	54229	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:06.969485998 CEST	55876	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:07.100681067 CEST	53	55876	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:08.110032082 CEST	59675	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:08.242410898 CEST	53	59675	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:11.890161037 CEST	63334	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:12.021565914 CEST	53	63334	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:13.327150106 CEST	59155	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:13.458456993 CEST	53	59155	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:15.482992887 CEST	65348	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:15.612498045 CEST	53	65348	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:19.935543060 CEST	58530	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:20.065711021 CEST	53	58530	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:23.666913033 CEST	60493	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:23.849709034 CEST	53	60493	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:24.130404949 CEST	64846	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:24.261054993 CEST	53	64846	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:24.323012114 CEST	51106	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:24.451708078 CEST	53	51106	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:24.825845003 CEST	52971	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:25.051882029 CEST	53	52971	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:25.055627108 CEST	62741	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:25.186273098 CEST	53	62741	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:25.189435005 CEST	61485	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:25.385679960 CEST	53	61485	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:25.389005899 CEST	56672	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:25.550928116 CEST	53	56672	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:25.553493977 CEST	61946	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:25.813426018 CEST	53	61946	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:26.343383074 CEST	58492	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:26.535705090 CEST	53	58492	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:26.538328886 CEST	53588	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:26.741101027 CEST	53	53588	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:26.744209051 CEST	52569	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:26.908265114 CEST	53	52569	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:26.913572073 CEST	56473	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.108666897 CEST	53	56473	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.115839005 CEST	59036	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.280401945 CEST	53	59036	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.283669949 CEST	56953	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.323983908 CEST	65052	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.454562902 CEST	53	65052	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.466823101 CEST	53	56953	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.469182968 CEST	56433	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.632443905 CEST	53	56433	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.635292053 CEST	49413	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.766661882 CEST	53	49413	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.769813061 CEST	51710	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:27.901990891 CEST	53	51710	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:27.905535936 CEST	50602	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:28.068475008 CEST	53	50602	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:28.071770906 CEST	59165	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:28.237410069 CEST	53	59165	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:28.240761042 CEST	63221	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:28.372087955 CEST	53	63221	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:28.375235081 CEST	60578	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:28.464379072 CEST	51690	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:28.540050983 CEST	53	60578	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:28.543198109 CEST	52497	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:28.593305111 CEST	53	51690	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:28.872649908 CEST	53	52497	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:29.205935001 CEST	50572	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:29.337193012 CEST	53	50572	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:29.339679956 CEST	53870	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:29.470954895 CEST	53	53870	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:29.473287106 CEST	52013	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:29.604614973 CEST	53	52013	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:29.608033895 CEST	59545	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:29.770373106 CEST	53	59545	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:29.773071051 CEST	53526	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:29.902823925 CEST	53	53526	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:29.906632900 CEST	52105	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:30.070483923 CEST	53	52105	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:30.074577093 CEST	58797	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:30.206793070 CEST	53	58797	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:30.210133076 CEST	60781	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:30.418538094 CEST	53	60781	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:33.446309090 CEST	63583	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:33.610733032 CEST	53	63583	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:33.613446951 CEST	64531	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:33.775558949 CEST	53	64531	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:33.778007030 CEST	55860	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:33.941978931 CEST	53	55860	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:33.944370031 CEST	53950	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:34.126616955 CEST	53	53950	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:34.129754066 CEST	50900	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:34.260364056 CEST	53	50900	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:34.263114929 CEST	62683	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:34.427784920 CEST	53	62683	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:34.432594061 CEST	64308	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:34.564467907 CEST	53	64308	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:34.570344925 CEST	63632	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:34.702178955 CEST	53	63632	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:34.704999924 CEST	52372	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:34.883207083 CEST	53	52372	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:34.885679007 CEST	65168	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:35.016244888 CEST	53	65168	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:35.018577099 CEST	62988	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:35.183159113 CEST	53	62988	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:35.186800957 CEST	49518	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:35.426217079 CEST	53	49518	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:35.430341005 CEST	57591	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:35.625288010 CEST	53	57591	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:35.627851009 CEST	52468	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:35.790374994 CEST	53	52468	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:35.792973995 CEST	63838	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.025738001 CEST	53	63838	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.028609991 CEST	61722	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.159022093 CEST	53	61722	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.161560059 CEST	56598	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.292989016 CEST	53	56598	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.295654058 CEST	58747	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.417311907 CEST	64280	274	192.168.11.30	192.168.11.1
Oct 15, 2024 15:39:36.462687969 CEST	53	58747	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.465563059 CEST	61779	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.601824045 CEST	53	61779	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.605437040 CEST	61702	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.734504938 CEST	53	61702	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.737934113 CEST	63762	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.837378025 CEST	58034	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.868453979 CEST	53	63762	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:36.871181965 CEST	50259	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:36.966979027 CEST	53	58034	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.079407930 CEST	53	50259	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.083707094 CEST	61682	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.216861010 CEST	53	61682	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.221072912 CEST	52468	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.350467920 CEST	53	52468	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.353149891 CEST	50439	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.531624079 CEST	53	50439	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.534080982 CEST	59750	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.722978115 CEST	53	59750	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.725290060 CEST	57578	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.861534119 CEST	53	57578	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.864403009 CEST	59509	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.977880955 CEST	51527	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:37.997571945 CEST	53	59509	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:37.999958038 CEST	59265	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:38.106955051 CEST	53	51527	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.129209042 CEST	53	59265	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.131649971 CEST	53963	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:38.265034914 CEST	53	53963	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.268506050 CEST	56053	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:38.447813034 CEST	53	56053	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.450880051 CEST	51748	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:38.580187082 CEST	53	51748	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.583066940 CEST	60238	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:38.820915937 CEST	53	60238	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.824426889 CEST	61018	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:38.989698887 CEST	53	61018	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:38.992537022 CEST	53588	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:39.209005117 CEST	53	53588	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:39.213931084 CEST	54089	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:39.344187021 CEST	53	54089	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:39.347270966 CEST	60088	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:39.483468056 CEST	53	60088	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:39.486140966 CEST	51100	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:39.619304895 CEST	53	51100	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:39.623193979 CEST	49171	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:39.755795956 CEST	53	49171	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:39.762003899 CEST	65464	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:39.926956892 CEST	53	65464	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:39.930895090 CEST	50358	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:40.061706066 CEST	53	50358	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:40.064742088 CEST	62482	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:40.295646906 CEST	53	62482	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:40.298084021 CEST	51855	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:40.429178953 CEST	53	51855	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:40.432023048 CEST	49374	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:40.562865973 CEST	53	49374	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:40.566133022 CEST	49673	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:40.750669003 CEST	53	49673	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:40.753295898 CEST	50169	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:40.956217051 CEST	53	50169	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:40.958858013 CEST	54881	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:41.120914936 CEST	53	54881	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:41.123764992 CEST	62606	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:41.257857084 CEST	53	62606	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:41.261499882 CEST	56310	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:41.394018888 CEST	53	56310	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:41.397197008 CEST	64737	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:41.592291117 CEST	53	64737	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:41.595206976 CEST	61048	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:41.758399963 CEST	53	61048	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:41.760750055 CEST	53186	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:41.944401979 CEST	53	53186	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:41.948093891 CEST	53678	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:42.155827045 CEST	53	53678	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:42.158763885 CEST	52693	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:42.459836006 CEST	53	52693	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:42.466414928 CEST	54563	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:42.596246004 CEST	53	54563	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:42.599704981 CEST	61247	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:42.731889009 CEST	53	61247	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:42.734457970 CEST	50488	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:42.864972115 CEST	53	50488	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:42.867594004 CEST	58268	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.031594038 CEST	53	58268	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.034259081 CEST	52370	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.165231943 CEST	53	52370	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.167839050 CEST	56205	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.300740957 CEST	53	56205	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.303669930 CEST	56480	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.436906099 CEST	53	56480	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.439383984 CEST	58335	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.618046045 CEST	53	58335	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.620383024 CEST	51221	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.750108957 CEST	53	51221	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.752687931 CEST	57741	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:43.884051085 CEST	53	57741	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:43.887547016 CEST	64712	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.051434994 CEST	53	64712	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.054512978 CEST	53527	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.188566923 CEST	53	53527	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.190884113 CEST	63147	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.335915089 CEST	52473	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.354953051 CEST	53	63147	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.357505083 CEST	54264	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.465910912 CEST	53	52473	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.488811016 CEST	53	54264	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.491775990 CEST	60698	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.657041073 CEST	53	60698	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.660141945 CEST	54024	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.791743994 CEST	53	54024	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.795521975 CEST	64581	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:44.927017927 CEST	53	64581	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:44.930398941 CEST	61753	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:45.156805038 CEST	53	61753	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:45.162209034 CEST	54448	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:45.291872978 CEST	53	54448	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:48.334391117 CEST	64490	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:48.496766090 CEST	53	64490	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:48.502665997 CEST	53397	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:48.636775970 CEST	53	53397	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:48.639245987 CEST	61386	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:48.804239035 CEST	53	61386	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:48.806818962 CEST	56851	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:48.970596075 CEST	53	56851	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:48.973702908 CEST	57199	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.104712009 CEST	53	57199	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.108383894 CEST	63592	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.238882065 CEST	53	63592	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.241571903 CEST	50881	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.373984098 CEST	53	50881	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.377475977 CEST	53840	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.511455059 CEST	53	53840	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.514941931 CEST	57495	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.692310095 CEST	53	57495	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.695317984 CEST	62249	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.826980114 CEST	53	62249	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.829531908 CEST	60909	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:49.971786022 CEST	53	60909	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:49.974812984 CEST	63567	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:50.142409086 CEST	53	63567	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:50.145515919 CEST	57375	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:50.353863001 CEST	53	57375	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:50.769799948 CEST	51394	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:50.898416042 CEST	53	51394	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:53.453795910 CEST	57530	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:53.683918953 CEST	53	57530	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:53.687098980 CEST	63211	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:53.771187067 CEST	61861	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:53.818645000 CEST	53	63211	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:53.821186066 CEST	63975	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:53.901978970 CEST	53	61861	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:53.951093912 CEST	53	63975	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:53.954644918 CEST	57014	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:54.085144043 CEST	53	57014	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:54.087939978 CEST	53775	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:54.250549078 CEST	53	53775	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:54.253166914 CEST	57609	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:54.382061958 CEST	53	57609	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:54.385368109 CEST	64996	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:54.549787998 CEST	53	64996	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:54.553011894 CEST	61666	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:54.684068918 CEST	53	61666	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:54.688724041 CEST	60836	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:54.818108082 CEST	53	60836	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:54.820857048 CEST	53241	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:55.044022083 CEST	53	53241	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:55.048594952 CEST	49383	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:55.210772991 CEST	53	49383	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:55.215699911 CEST	49470	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:55.394150972 CEST	53	49470	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:55.396856070 CEST	54762	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:55.572534084 CEST	53	54762	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:55.575463057 CEST	62793	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:55.739037037 CEST	53	62793	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:55.742520094 CEST	58650	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:55.946197987 CEST	53	58650	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:55.949686050 CEST	65136	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:56.079489946 CEST	53	65136	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:56.083051920 CEST	54038	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:56.213932037 CEST	53	54038	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:56.216909885 CEST	55158	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:56.516108990 CEST	53	55158	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:56.519056082 CEST	59219	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:56.655040026 CEST	53	59219	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:56.658297062 CEST	51243	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:56.787498951 CEST	53	51243	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:56.790200949 CEST	60709	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:56.921091080 CEST	53	60709	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:56.923935890 CEST	56857	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.055784941 CEST	53	56857	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.058650970 CEST	60849	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.268176079 CEST	53	60849	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.271853924 CEST	56512	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.402077913 CEST	53	56512	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.405524015 CEST	49152	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.551872969 CEST	56088	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.569474936 CEST	53	49152	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.572380066 CEST	64703	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.688996077 CEST	53	56088	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.775567055 CEST	53	64703	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.779550076 CEST	60413	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:57.909548044 CEST	53	60413	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:57.914220095 CEST	56434	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.109240055 CEST	53	56434	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.112750053 CEST	61662	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.277627945 CEST	53	61662	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.280780077 CEST	51203	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.463618040 CEST	53	51203	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.466389894 CEST	51548	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.643517017 CEST	53	51548	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.647207022 CEST	64908	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.709202051 CEST	50209	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.776818037 CEST	53	64908	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.780714035 CEST	55160	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:58.839396954 CEST	53	50209	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.912314892 CEST	53	55160	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:58.915333986 CEST	62975	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:59.049501896 CEST	53	62975	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:59.052649975 CEST	57281	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:59.256421089 CEST	53	57281	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:59.260301113 CEST	59213	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:59.560400963 CEST	53	59213	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:59.563123941 CEST	61078	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:59.728615999 CEST	53	61078	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:59.731981039 CEST	52152	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:39:59.864736080 CEST	53	52152	1.1.1.1	192.168.11.30
Oct 15, 2024 15:39:59.867403984 CEST	61302	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:00.000610113 CEST	53	61302	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:00.004115105 CEST	54388	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:00.182277918 CEST	53	54388	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:00.188419104 CEST	58246	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:00.319427967 CEST	53	58246	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:00.323312044 CEST	63956	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:00.517605066 CEST	53	63956	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:00.524643898 CEST	62870	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:00.656982899 CEST	53	62870	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:00.661382914 CEST	58213	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:00.824635029 CEST	53	58213	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:00.828836918 CEST	54531	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:01.006561995 CEST	53	54531	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:01.010289907 CEST	52274	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:01.244771957 CEST	53	52274	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:01.248405933 CEST	52768	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:01.482095003 CEST	53	52768	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:01.485439062 CEST	65451	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:01.622596979 CEST	53	65451	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:01.627218962 CEST	53561	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:01.756441116 CEST	53	53561	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:01.763695002 CEST	50624	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:01.896802902 CEST	53	50624	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:01.901222944 CEST	60350	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:02.065056086 CEST	53	60350	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:02.068640947 CEST	54297	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:02.198246002 CEST	53	54297	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:02.202337980 CEST	51915	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:02.343781948 CEST	53	51915	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:02.347054958 CEST	55334	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:02.479547024 CEST	53	55334	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:02.483568907 CEST	50586	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:02.787012100 CEST	53	50586	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:02.790452003 CEST	56329	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:02.984458923 CEST	53	56329	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:02.988261938 CEST	52262	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:03.154942989 CEST	53	52262	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:03.158591032 CEST	62528	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:03.390311003 CEST	53	62528	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:03.394155025 CEST	49512	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:03.687446117 CEST	53	49512	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:03.692405939 CEST	62118	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:03.983000994 CEST	53	62118	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:03.990890026 CEST	57329	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:04.228943110 CEST	53	57329	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:04.232785940 CEST	60770	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:04.364389896 CEST	53	60770	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:04.368508101 CEST	62023	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:04.497577906 CEST	53	62023	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:04.501132011 CEST	55034	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:04.504079103 CEST	60669	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:04.632868052 CEST	53	55034	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:04.635875940 CEST	53	60669	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:04.639394045 CEST	59122	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:04.888986111 CEST	53	59122	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:04.892493010 CEST	62232	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:05.135054111 CEST	53	62232	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:05.138835907 CEST	58329	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:05.302438021 CEST	53	58329	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:05.306590080 CEST	63115	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:05.439363956 CEST	53	63115	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:05.442756891 CEST	65062	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:05.691577911 CEST	53	65062	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:05.695008993 CEST	64655	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:05.891922951 CEST	53	64655	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:05.895473957 CEST	52681	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.058862925 CEST	53	52681	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.062268972 CEST	64468	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.267184019 CEST	53	64468	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.271080017 CEST	63155	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.433285952 CEST	53	63155	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.436827898 CEST	57245	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.568025112 CEST	53	57245	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.573314905 CEST	63024	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.702210903 CEST	53	63024	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.706295967 CEST	53019	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.839036942 CEST	53	53019	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.842514992 CEST	60029	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:06.972913027 CEST	53	60029	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:06.976561069 CEST	59349	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:07.108933926 CEST	53	59349	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:07.112842083 CEST	63022	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:07.428953886 CEST	53	63022	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:07.433726072 CEST	62673	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:07.597311974 CEST	53	62673	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:07.600706100 CEST	57920	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:07.764908075 CEST	53	57920	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:07.769215107 CEST	54669	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:07.901819944 CEST	53	54669	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:07.905606985 CEST	56781	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:08.204827070 CEST	53	56781	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:08.208652973 CEST	52213	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:08.386322975 CEST	53	52213	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:08.390111923 CEST	60853	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:08.522423983 CEST	53	60853	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:08.526298046 CEST	58387	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:08.657418966 CEST	53	58387	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:08.663937092 CEST	64028	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:08.794617891 CEST	53	64028	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:08.799264908 CEST	55597	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:08.962594986 CEST	53	55597	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:08.966694117 CEST	49848	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.180537939 CEST	53	49848	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.185673952 CEST	61032	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.268300056 CEST	57719	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.363418102 CEST	53	61032	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.368194103 CEST	61351	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.399044037 CEST	53	57719	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.570826054 CEST	53	61351	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.576735020 CEST	59098	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.706393003 CEST	53	59098	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.709969997 CEST	59815	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.842884064 CEST	53	59815	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.846354961 CEST	55477	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:09.976252079 CEST	53	55477	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:09.982986927 CEST	60612	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:10.146811962 CEST	53	60612	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:10.150525093 CEST	64833	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:10.448308945 CEST	53	64833	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:10.452133894 CEST	62898	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:10.615220070 CEST	53	62898	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:10.621052027 CEST	62615	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:10.784259081 CEST	53	62615	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:10.787724972 CEST	60917	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:10.952404022 CEST	53	60917	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:10.957937956 CEST	58644	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:11.098048925 CEST	53	58644	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:11.101537943 CEST	51884	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:11.231776953 CEST	53	51884	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:11.235846043 CEST	53730	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:11.548305035 CEST	53	53730	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:11.551903963 CEST	64945	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:11.791655064 CEST	53	64945	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:11.796868086 CEST	65372	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:11.992259979 CEST	53	65372	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:11.995796919 CEST	64580	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:12.245412111 CEST	53	64580	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:12.248888969 CEST	58185	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:12.556767941 CEST	53	58185	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:12.563143015 CEST	52938	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:12.731004000 CEST	53	52938	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:12.737648010 CEST	61565	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:12.866061926 CEST	53	61565	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:12.869527102 CEST	65356	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.032397985 CEST	53	65356	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.037353992 CEST	57609	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.065087080 CEST	51935	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.206866026 CEST	53	51935	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.206897974 CEST	53	57609	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.210278034 CEST	62496	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.342005014 CEST	53	62496	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.346364021 CEST	56192	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.475677967 CEST	53	56192	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.479967117 CEST	56975	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.727724075 CEST	53	56975	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.731198072 CEST	61373	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:13.895775080 CEST	53	61373	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:13.899132013 CEST	64721	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:14.031182051 CEST	53	64721	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:14.034751892 CEST	57932	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:14.281040907 CEST	53	57932	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:14.286571980 CEST	62916	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:14.493504047 CEST	53	62916	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:17.532160997 CEST	63725	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:17.831378937 CEST	53	63725	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:17.837760925 CEST	53663	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:17.969021082 CEST	53	53663	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:17.974606991 CEST	57159	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:18.107050896 CEST	53	57159	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:18.112304926 CEST	59666	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:18.276989937 CEST	53	59666	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:18.280862093 CEST	65383	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:18.410273075 CEST	53	65383	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:18.415339947 CEST	53848	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:18.546475887 CEST	53	53848	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:18.550473928 CEST	60483	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:18.780595064 CEST	53	60483	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:18.785860062 CEST	54238	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:18.917895079 CEST	53	54238	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:18.921432018 CEST	64362	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:19.050992966 CEST	53	64362	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:22.093174934 CEST	49370	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:22.225517988 CEST	53	49370	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:22.229320049 CEST	63518	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:22.423574924 CEST	53	63518	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:22.427567005 CEST	58839	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:22.642524004 CEST	53	58839	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:22.646583080 CEST	61965	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:22.907320023 CEST	53	61965	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:22.910707951 CEST	53559	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.040931940 CEST	53	53559	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:23.045496941 CEST	50073	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.208344936 CEST	53	50073	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:23.212366104 CEST	58281	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.344176054 CEST	53	58281	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:23.347815037 CEST	65416	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.439129114 CEST	61091	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.529771090 CEST	53	65416	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:23.536597013 CEST	56608	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.592607021 CEST	53	61091	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:23.699387074 CEST	53	56608	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:23.703058004 CEST	60554	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:23.997534990 CEST	53	60554	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.001287937 CEST	52476	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.133137941 CEST	53	52476	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.136564970 CEST	58392	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.268093109 CEST	53	58392	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.271790028 CEST	53151	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.404104948 CEST	53	53151	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.409508944 CEST	58610	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.539346933 CEST	53	58610	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.543056011 CEST	52111	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.674990892 CEST	53	52111	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.678983927 CEST	52695	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.857009888 CEST	53	52695	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.860831976 CEST	49152	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:24.992207050 CEST	53	49152	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:24.998054028 CEST	65345	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:25.200723886 CEST	53	65345	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:25.204174042 CEST	53389	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:25.694097996 CEST	53	53389	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:28.732544899 CEST	60762	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:28.864736080 CEST	53	60762	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:28.868313074 CEST	60675	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.000902891 CEST	53	60675	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.005860090 CEST	58954	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.170281887 CEST	53	58954	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.176175117 CEST	53500	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.309149981 CEST	53	53500	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.314455032 CEST	51039	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.445425987 CEST	53	51039	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.449090958 CEST	56435	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.530795097 CEST	53254	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.580864906 CEST	53	56435	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.586075068 CEST	63398	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.659954071 CEST	53	53254	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.749084949 CEST	53	63398	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.754332066 CEST	51799	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:29.884202003 CEST	53	51799	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:29.888900995 CEST	62626	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:30.052155972 CEST	53	62626	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:30.056337118 CEST	60875	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:30.220949888 CEST	53	60875	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:30.226068974 CEST	65019	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:30.421612024 CEST	53	65019	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:30.429393053 CEST	63886	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:30.561008930 CEST	53	63886	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:30.565179110 CEST	60414	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:30.694941998 CEST	53	60414	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:30.700186014 CEST	63435	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:30.936291933 CEST	53	63435	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:30.939871073 CEST	49788	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:31.068809032 CEST	53	49788	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:31.072240114 CEST	64165	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:31.203437090 CEST	53	64165	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:31.207207918 CEST	59497	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:31.338823080 CEST	53	59497	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:31.342436075 CEST	52685	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:31.474129915 CEST	53	52685	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:31.479990005 CEST	55573	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:31.770035028 CEST	53	55573	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:31.776096106 CEST	53856	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:31.940285921 CEST	53	53856	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:31.945789099 CEST	55974	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:32.077666998 CEST	53	55974	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:32.082159996 CEST	57871	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:32.417399883 CEST	53	57871	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:35.508886099 CEST	54833	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:35.712908983 CEST	53	54833	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:35.716840029 CEST	49506	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:35.882102013 CEST	53	49506	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:35.885670900 CEST	63851	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.016165972 CEST	53	63851	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:36.019810915 CEST	54969	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.184149027 CEST	53	54969	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:36.188375950 CEST	55342	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.320317030 CEST	53	55342	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:36.324055910 CEST	61977	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.455329895 CEST	53	61977	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:36.459127903 CEST	55960	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.675358057 CEST	53	55960	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:36.681737900 CEST	62950	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.810920000 CEST	53	62950	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:36.814660072 CEST	51585	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:36.919897079 CEST	51094	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:37.026983976 CEST	53	51585	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.031027079 CEST	65043	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:37.049221039 CEST	53	51094	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.194293976 CEST	53	65043	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.198709965 CEST	62069	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:37.404366970 CEST	53	62069	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.410093069 CEST	58315	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:37.545795918 CEST	53	58315	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.550668955 CEST	53858	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:37.681818962 CEST	53	53858	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.687758923 CEST	61551	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:37.895689964 CEST	53	61551	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:37.899818897 CEST	63859	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.031255007 CEST	53	63859	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:38.035335064 CEST	57980	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.168739080 CEST	53	57980	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:38.172792912 CEST	54235	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.306154966 CEST	53	54235	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:38.310612917 CEST	58239	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.473686934 CEST	53	58239	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:38.477615118 CEST	52942	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.611176968 CEST	53	52942	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:38.616976976 CEST	53227	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.820714951 CEST	53	53227	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:38.824876070 CEST	58154	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:38.956223965 CEST	53	58154	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:41.998590946 CEST	52639	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.130565882 CEST	53	52639	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.135379076 CEST	56581	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.267520905 CEST	53	56581	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.271543026 CEST	49399	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.405050039 CEST	53	49399	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.410033941 CEST	54000	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.656404972 CEST	53	54000	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.668812037 CEST	52977	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.804936886 CEST	59081	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.831593037 CEST	53	52977	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.837740898 CEST	58247	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:42.936119080 CEST	53	59081	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.968178988 CEST	53	58247	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:42.972775936 CEST	63297	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:43.231833935 CEST	53	63297	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:43.236644030 CEST	59371	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:43.399180889 CEST	53	59371	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:43.403394938 CEST	56384	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:43.567142010 CEST	53	56384	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:43.571538925 CEST	54675	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:43.701117992 CEST	53	54675	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:43.705096006 CEST	63993	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:43.922002077 CEST	53	63993	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:43.926253080 CEST	55260	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.089970112 CEST	53	55260	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.095637083 CEST	52516	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.301032066 CEST	53	52516	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.305754900 CEST	51963	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.435883045 CEST	53	51963	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.440424919 CEST	49296	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.606043100 CEST	56677	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.644104004 CEST	53	49296	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.649853945 CEST	61566	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.737411976 CEST	53	56677	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.781250954 CEST	53	61566	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.785608053 CEST	50367	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:44.918150902 CEST	53	50367	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:44.922159910 CEST	58413	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.055444956 CEST	53	58413	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:45.060472012 CEST	57285	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.191740990 CEST	53	57285	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:45.195957899 CEST	50561	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.325480938 CEST	53	50561	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:45.330426931 CEST	61099	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.535262108 CEST	53	61099	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:45.541280031 CEST	61630	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.704972982 CEST	53	61630	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:45.711361885 CEST	54593	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.744759083 CEST	55894	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:45.922581911 CEST	53	54593	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:45.996750116 CEST	53	55894	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:48.947699070 CEST	54577	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:49.079109907 CEST	53	54577	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:49.083225965 CEST	64276	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:49.247307062 CEST	53	64276	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:49.251451969 CEST	53519	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:49.414371967 CEST	53	53519	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:49.418332100 CEST	64521	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:49.600483894 CEST	53	64521	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:49.605550051 CEST	52441	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:49.734067917 CEST	53	52441	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:49.739710093 CEST	54670	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:49.945694923 CEST	53	54670	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:49.949956894 CEST	60840	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:50.114571095 CEST	53	60840	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:50.118576050 CEST	57386	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:50.247878075 CEST	53	57386	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:50.252131939 CEST	60133	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:50.415230989 CEST	53	60133	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:50.420017958 CEST	52592	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:50.582907915 CEST	53	52592	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:50.586915016 CEST	65378	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:50.717269897 CEST	53	65378	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:50.721501112 CEST	61578	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:51.017802954 CEST	53	61578	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:51.712886095 CEST	52176	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:51.844352007 CEST	53	52176	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:51.847227097 CEST	58931	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:51.979098082 CEST	53	58931	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:51.982026100 CEST	59021	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.145538092 CEST	53	59021	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.148946047 CEST	52596	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.354728937 CEST	53	52596	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.358076096 CEST	61121	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.399060965 CEST	61915	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.523325920 CEST	53	61121	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.526359081 CEST	51086	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.529164076 CEST	53	61915	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.656572104 CEST	53	51086	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.659454107 CEST	52154	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.792020082 CEST	53	52154	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.795188904 CEST	50098	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:52.927196026 CEST	53	50098	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:52.930325031 CEST	54095	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:53.095614910 CEST	53	54095	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:53.098484039 CEST	54905	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:53.387314081 CEST	53	54905	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:53.390530109 CEST	60113	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:53.520831108 CEST	53	60113	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:53.524136066 CEST	50437	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:53.747910976 CEST	53	50437	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:53.750977039 CEST	63620	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.041420937 CEST	53	63620	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:54.044800997 CEST	62146	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.278383017 CEST	53	62146	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:54.281815052 CEST	55447	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.586980104 CEST	53	55447	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:54.589972973 CEST	58691	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.719954014 CEST	53	58691	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:54.722759008 CEST	62367	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.835540056 CEST	65226	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.854980946 CEST	53	62367	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:54.857971907 CEST	50037	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:54.965719938 CEST	53	65226	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.021820068 CEST	53	50037	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.025285959 CEST	59287	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:55.232455969 CEST	53	59287	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.235795975 CEST	53337	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:55.533637047 CEST	53	53337	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.537533998 CEST	55960	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:55.717464924 CEST	53	55960	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.721199036 CEST	62160	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:55.853084087 CEST	53	62160	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.856214046 CEST	58770	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:55.987535954 CEST	53	58770	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:55.990683079 CEST	52428	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:56.122447968 CEST	53	52428	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:56.125519037 CEST	54601	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:56.288511992 CEST	53	54601	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:56.291580915 CEST	62692	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:56.454893112 CEST	53	62692	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:56.457935095 CEST	62470	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:56.688235044 CEST	53	62470	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:56.691026926 CEST	50506	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:56.822460890 CEST	53	50506	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:56.825618982 CEST	58067	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:57.008601904 CEST	53	58067	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:57.011589050 CEST	54104	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:57.173768044 CEST	53	54104	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:57.176898003 CEST	56626	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:57.385817051 CEST	53	56626	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:57.388931036 CEST	49477	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:57.522588968 CEST	53	49477	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:57.525916100 CEST	53787	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:57.657691956 CEST	53	53787	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:57.660623074 CEST	53575	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:57.825530052 CEST	53	53575	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:57.828598022 CEST	64249	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:58.036119938 CEST	53	64249	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:58.039510012 CEST	49642	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:58.353249073 CEST	53	49642	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:58.356168032 CEST	54226	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:58.489398956 CEST	53	54226	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:58.492325068 CEST	61768	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:58.704735041 CEST	53	61768	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:58.707912922 CEST	51559	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:58.872731924 CEST	53	51559	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:58.875504971 CEST	64467	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.006763935 CEST	53	64467	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.009589911 CEST	57939	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.143372059 CEST	53	57939	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.146507978 CEST	53217	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.287482023 CEST	64050	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.377525091 CEST	53	53217	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.380774975 CEST	65113	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.426335096 CEST	53	64050	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.511931896 CEST	53	65113	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.515264988 CEST	56671	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.647332907 CEST	53	56671	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.650487900 CEST	55571	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:40:59.948757887 CEST	53	55571	1.1.1.1	192.168.11.30
Oct 15, 2024 15:40:59.951936007 CEST	61451	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.080667973 CEST	53	61451	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.084130049 CEST	61879	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.247585058 CEST	53	61879	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.250597000 CEST	54886	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.415306091 CEST	53	54886	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.418502092 CEST	57142	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.443864107 CEST	59800	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.549045086 CEST	53	57142	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.552272081 CEST	63224	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.573348999 CEST	53	59800	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.686049938 CEST	53	63224	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.689439058 CEST	55150	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.820766926 CEST	53	55150	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.823631048 CEST	52606	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:00.954222918 CEST	53	52606	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:00.957568884 CEST	52554	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:01.151454926 CEST	53	52554	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:01.154458046 CEST	49942	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:01.287635088 CEST	53	49942	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:01.291104078 CEST	60811	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:01.453718901 CEST	53	60811	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:01.456621885 CEST	51683	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:01.590816975 CEST	53	51683	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:01.593631029 CEST	64358	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:01.888709068 CEST	53	64358	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:01.891725063 CEST	53396	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:02.024576902 CEST	53	53396	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:02.027658939 CEST	62450	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:02.234149933 CEST	53	62450	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:04.912002087 CEST	57889	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:05.041791916 CEST	53	57889	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:05.270987988 CEST	64195	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:05.433868885 CEST	53	64195	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:05.437107086 CEST	54293	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:05.606949091 CEST	53	54293	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:05.610394001 CEST	55794	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:05.740880966 CEST	53	55794	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:05.744123936 CEST	62286	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:05.907262087 CEST	53	62286	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:05.910861015 CEST	62524	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.051698923 CEST	59569	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.074598074 CEST	53	62524	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.077606916 CEST	54238	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.182168007 CEST	53	59569	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.276040077 CEST	53	54238	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.279476881 CEST	50470	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.504889011 CEST	53	50470	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.508794069 CEST	56921	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.674196959 CEST	53	56921	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.677675009 CEST	54436	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.809618950 CEST	53	54436	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.812747002 CEST	53862	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:06.944685936 CEST	53	53862	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:06.948067904 CEST	63350	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:07.080096006 CEST	53	63350	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:07.083620071 CEST	65084	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:07.289221048 CEST	53	65084	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:07.292474031 CEST	54921	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:07.454277039 CEST	53	54921	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:07.457473993 CEST	64010	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:07.594712973 CEST	53	64010	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:07.597765923 CEST	56020	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:07.801260948 CEST	53	56020	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:07.804894924 CEST	56610	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:07.968422890 CEST	53	56610	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:07.971553087 CEST	65443	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:08.102128029 CEST	53	65443	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:08.104996920 CEST	56613	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:08.407915115 CEST	53	56613	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:08.411901951 CEST	52151	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:08.542010069 CEST	53	52151	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:08.545228958 CEST	62075	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:08.784792900 CEST	53	62075	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:08.787936926 CEST	65270	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:08.951042891 CEST	53	65270	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:08.954477072 CEST	52820	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:09.118925095 CEST	53	52820	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:09.121844053 CEST	56779	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:09.419800997 CEST	53	56779	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:09.422920942 CEST	60120	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:09.598784924 CEST	53	60120	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:09.602078915 CEST	61562	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:09.812100887 CEST	53	61562	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:12.905014038 CEST	49896	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.036602974 CEST	53	49896	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.039949894 CEST	63662	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.222948074 CEST	53	63662	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.226073980 CEST	53896	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.357429981 CEST	53	53896	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.360898972 CEST	51571	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.494137049 CEST	53	51571	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.497730017 CEST	49514	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.629539967 CEST	53	49514	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.632421970 CEST	54050	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.814726114 CEST	53	54050	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.818116903 CEST	49756	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:13.947834969 CEST	53	49756	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:13.951265097 CEST	57383	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:14.082676888 CEST	53	57383	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:14.086193085 CEST	50719	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:14.300617933 CEST	53	50719	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:14.303845882 CEST	58257	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:14.468369961 CEST	53	58257	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:14.471139908 CEST	50158	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:14.636611938 CEST	53	50158	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:14.639642954 CEST	63356	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:14.781891108 CEST	53	63356	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:14.785166025 CEST	60550	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:14.967777967 CEST	53	60550	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:14.970844984 CEST	61160	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.133441925 CEST	53	61160	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.136620045 CEST	62307	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.268141031 CEST	53	62307	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.271349907 CEST	59746	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.403243065 CEST	53	59746	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.406755924 CEST	64040	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.537328005 CEST	53	64040	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.540358067 CEST	49843	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.673921108 CEST	53	49843	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.677042961 CEST	65425	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.808639050 CEST	53	65425	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.811647892 CEST	61552	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:15.941210985 CEST	53	61552	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:15.944691896 CEST	58334	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:16.174685001 CEST	53	58334	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:16.178014040 CEST	59710	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:16.413115978 CEST	53	59710	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:16.416313887 CEST	62206	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:16.548532963 CEST	53	62206	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:16.551795959 CEST	64140	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:16.715807915 CEST	53	64140	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:16.719321012 CEST	52349	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:16.903140068 CEST	53	52349	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:16.906594038 CEST	59378	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:17.069770098 CEST	53	59378	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:17.073424101 CEST	58350	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:17.202601910 CEST	53	58350	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:17.206625938 CEST	50548	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:17.369883060 CEST	53	50548	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:17.373308897 CEST	53228	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:17.606075048 CEST	53	53228	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:17.609843969 CEST	60876	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:17.773010969 CEST	53	60876	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:17.776593924 CEST	50323	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:17.907826900 CEST	53	50323	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:17.911267996 CEST	58884	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:18.043180943 CEST	53	58884	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:18.045850039 CEST	50659	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:18.175466061 CEST	53	50659	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:18.178642988 CEST	65287	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:18.309672117 CEST	53	65287	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:18.313116074 CEST	54032	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:18.443211079 CEST	53	54032	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:21.487586021 CEST	51119	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:21.650276899 CEST	53	51119	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:21.653847933 CEST	57767	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:21.953766108 CEST	53	57767	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:21.957401991 CEST	54690	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:22.121715069 CEST	53	54690	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:22.125103951 CEST	51755	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:22.289572954 CEST	53	51755	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:22.292558908 CEST	51060	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:22.423259020 CEST	53	51060	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:22.426474094 CEST	56885	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:22.657285929 CEST	53	56885	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:22.660937071 CEST	58704	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:22.830053091 CEST	53	58704	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:22.833848953 CEST	50461	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:22.966583967 CEST	53	50461	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:22.970261097 CEST	58628	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:23.102112055 CEST	53	58628	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:23.105150938 CEST	54296	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:23.312868118 CEST	53	54296	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:26.341943026 CEST	64196	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:26.549401999 CEST	53	64196	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:26.552638054 CEST	54550	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:26.760077953 CEST	53	54550	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:26.763279915 CEST	64514	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:26.957865953 CEST	53	64514	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:26.961076975 CEST	52713	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:27.126580000 CEST	53	52713	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:27.130109072 CEST	53038	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:27.260960102 CEST	53	53038	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:27.264703035 CEST	65296	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:27.397468090 CEST	53	65296	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:27.400918007 CEST	51241	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:27.580326080 CEST	53	51241	1.1.1.1	192.168.11.30
Oct 15, 2024 15:41:27.583868027 CEST	65467	53	192.168.11.30	1.1.1.1
Oct 15, 2024 15:41:27.715879917 CEST	53	65467	1.1.1.1	192.168.11.30

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 15, 2024 15:39:36.417347908 CEST	192.168.11.1	192.168.11.30	952d	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 15, 2024 15:38:40.414622068 CEST	192.168.11.30	1.1.1.1	0x785e	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:38:58.442030907 CEST	192.168.11.30	1.1.1.1	0x46a9	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:38:59.711370945 CEST	192.168.11.30	1.1.1.1	0x9751	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:04.110301971 CEST	192.168.11.30	1.1.1.1	0x6ae7	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:05.532372952 CEST	192.168.11.30	1.1.1.1	0xa060	Standard query (0)	www.showmyipaddress.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:06.969485998 CEST	192.168.11.30	1.1.1.1	0xa7de	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:08.110032082 CEST	192.168.11.30	1.1.1.1	0xa248	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:11.890161037 CEST	192.168.11.30	1.1.1.1	0xd4fc	Standard query (0)	www.whatismyip.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:13.327150106 CEST	192.168.11.30	1.1.1.1	0x9d4d	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:15.482992887 CEST	192.168.11.30	1.1.1.1	0x2a8c	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:19.935543060 CEST	192.168.11.30	1.1.1.1	0x2f1d	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:23.666913033 CEST	192.168.11.30	1.1.1.1	0x5280	Standard query (0)	www.myspace.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:24.130404949 CEST	192.168.11.30	1.1.1.1	0x56f5	Standard query (0)	lwbjtptjlzji.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:24.323012114 CEST	192.168.11.30	1.1.1.1	0x742e	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:24.825845003 CEST	192.168.11.30	1.1.1.1	0x22c0	Standard query (0)	deroocmofof.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.055627108 CEST	192.168.11.30	1.1.1.1	0x3e04	Standard query (0)	fltebaltkwm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.189435005 CEST	192.168.11.30	1.1.1.1	0xd888	Standard query (0)	eukvpt.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.389005899 CEST	192.168.11.30	1.1.1.1	0xc82	Standard query (0)	cdrmqone.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.553493977 CEST	192.168.11.30	1.1.1.1	0xb02d	Standard query (0)	xhjwwgwd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.343383074 CEST	192.168.11.30	1.1.1.1	0xcd37	Standard query (0)	ggsukwasb.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.538328886 CEST	192.168.11.30	1.1.1.1	0xff6b	Standard query (0)	spyutmxdvvrw.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.744209051 CEST	192.168.11.30	1.1.1.1	0xf704	Standard query (0)	nwdyhujtzi.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.913572073 CEST	192.168.11.30	1.1.1.1	0x8c4f	Standard query (0)	cecitmbetwe.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.115839005 CEST	192.168.11.30	1.1.1.1	0x4087	Standard query (0)	fnvcomt.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.283669949 CEST	192.168.11.30	1.1.1.1	0xabe7	Standard query (0)	koqaswsiic.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.323983908 CEST	192.168.11.30	1.1.1.1	0xb2f0	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.469182968 CEST	192.168.11.30	1.1.1.1	0x68c5	Standard query (0)	ooqfgvnllbdj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.635292053 CEST	192.168.11.30	1.1.1.1	0x1129	Standard query (0)	ywzcjat.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.769813061 CEST	192.168.11.30	1.1.1.1	0x47d1	Standard query (0)	delnmynibhnu.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.905535936 CEST	192.168.11.30	1.1.1.1	0xf818	Standard query (0)	cgzmkaoqtpr.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.071770906 CEST	192.168.11.30	1.1.1.1	0x70e9	Standard query (0)	fakljq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.240761042 CEST	192.168.11.30	1.1.1.1	0xd960	Standard query (0)	yxeqglor.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.375235081 CEST	192.168.11.30	1.1.1.1	0x5aa5	Standard query (0)	ditidgffs.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.464379072 CEST	192.168.11.30	1.1.1.1	0x29af	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.543198109 CEST	192.168.11.30	1.1.1.1	0x819	Standard query (0)	wsmpvwxb.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.205935001 CEST	192.168.11.30	1.1.1.1	0x12d8	Standard query (0)	iogzpqtkbml.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.339679956 CEST	192.168.11.30	1.1.1.1	0x97f1	Standard query (0)	hdtuhunof.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.473287106 CEST	192.168.11.30	1.1.1.1	0x1cf1	Standard query (0)	habozmd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.608033895 CEST	192.168.11.30	1.1.1.1	0xd122	Standard query (0)	umwqai.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.773071051 CEST	192.168.11.30	1.1.1.1	0x2618	Standard query (0)	sfhqxtpgdcp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.906632900 CEST	192.168.11.30	1.1.1.1	0xa45c	Standard query (0)	lkykrcllfknb.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:30.074577093 CEST	192.168.11.30	1.1.1.1	0x2469	Standard query (0)	akzktct.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:30.210133076 CEST	192.168.11.30	1.1.1.1	0x9a93	Standard query (0)	iewiai.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.446309090 CEST	192.168.11.30	1.1.1.1	0x83bd	Standard query (0)	tqpudini.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.613446951 CEST	192.168.11.30	1.1.1.1	0x1052	Standard query (0)	rusadzqvki.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.778007030 CEST	192.168.11.30	1.1.1.1	0x3ce8	Standard query (0)	pqqobu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.944370031 CEST	192.168.11.30	1.1.1.1	0x3101	Standard query (0)	jrqwzahcxma.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.129754066 CEST	192.168.11.30	1.1.1.1	0xaf82	Standard query (0)	jexwxsd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.263114929 CEST	192.168.11.30	1.1.1.1	0xf97	Standard query (0)	xofihfrimj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.432594061 CEST	192.168.11.30	1.1.1.1	0x2097	Standard query (0)	qayaswom.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.570344925 CEST	192.168.11.30	1.1.1.1	0xb3fa	Standard query (0)	jctcln.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.704999924 CEST	192.168.11.30	1.1.1.1	0x94e8	Standard query (0)	iqiuqeui.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.885679007 CEST	192.168.11.30	1.1.1.1	0xdfa3	Standard query (0)	mackgqecao.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.018577099 CEST	192.168.11.30	1.1.1.1	0xa126	Standard query (0)	mgkssskeic.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.186800957 CEST	192.168.11.30	1.1.1.1	0xdd6f	Standard query (0)	ldziatjs.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.430341005 CEST	192.168.11.30	1.1.1.1	0xa2d6	Standard query (0)	dekudc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.627851009 CEST	192.168.11.30	1.1.1.1	0x3c6b	Standard query (0)	cwbmhpaqjfw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.792973995 CEST	192.168.11.30	1.1.1.1	0xc5e1	Standard query (0)	yiiemy.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.028609991 CEST	192.168.11.30	1.1.1.1	0x1e4c	Standard query (0)	ccwsnub.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.161560059 CEST	192.168.11.30	1.1.1.1	0x5073	Standard query (0)	sakmwmeuukis.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.295654058 CEST	192.168.11.30	1.1.1.1	0x9e2	Standard query (0)	bnkqoxtw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.465563059 CEST	192.168.11.30	1.1.1.1	0xf3d6	Standard query (0)	mscaguoqykue.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.605437040 CEST	192.168.11.30	1.1.1.1	0xd30f	Standard query (0)	qodrrrzehko.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.737934113 CEST	192.168.11.30	1.1.1.1	0xd144	Standard query (0)	oqiqgawygycg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.837378025 CEST	192.168.11.30	1.1.1.1	0x4dbc	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.871181965 CEST	192.168.11.30	1.1.1.1	0x29e4	Standard query (0)	dyhkxxkggdd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.083707094 CEST	192.168.11.30	1.1.1.1	0x35c3	Standard query (0)	quivwopczbfy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.221072912 CEST	192.168.11.30	1.1.1.1	0x6de0	Standard query (0)	mmfljcduuiq.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.353149891 CEST	192.168.11.30	1.1.1.1	0x3ada	Standard query (0)	nbbghscbn.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.534080982 CEST	192.168.11.30	1.1.1.1	0xffb0	Standard query (0)	tkhcfkf.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.725290060 CEST	192.168.11.30	1.1.1.1	0x193f	Standard query (0)	zfzerwlmxkg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.864403009 CEST	192.168.11.30	1.1.1.1	0x408c	Standard query (0)	cukqaeyggw.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.977880955 CEST	192.168.11.30	1.1.1.1	0x9e10	Standard query (0)	www.whatismyip.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.999958038 CEST	192.168.11.30	1.1.1.1	0xaf9b	Standard query (0)	swnmtyjsf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.131649971 CEST	192.168.11.30	1.1.1.1	0x9128	Standard query (0)	bowmbsngr.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.268506050 CEST	192.168.11.30	1.1.1.1	0x4f46	Standard query (0)	kyhbvm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.450880051 CEST	192.168.11.30	1.1.1.1	0x15fb	Standard query (0)	wofeuyik.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.583066940 CEST	192.168.11.30	1.1.1.1	0x4fa6	Standard query (0)	qedsben.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.824426889 CEST	192.168.11.30	1.1.1.1	0xb557	Standard query (0)	uqgtbor.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.992537022 CEST	192.168.11.30	1.1.1.1	0x69be	Standard query (0)	rqzbtyqilrby.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.213931084 CEST	192.168.11.30	1.1.1.1	0x5d63	Standard query (0)	tmdlhcf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.347270966 CEST	192.168.11.30	1.1.1.1	0x5904	Standard query (0)	llymgadj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.486140966 CEST	192.168.11.30	1.1.1.1	0x273b	Standard query (0)	strpoehe.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.623193979 CEST	192.168.11.30	1.1.1.1	0xf88b	Standard query (0)	qhxaqmz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.762003899 CEST	192.168.11.30	1.1.1.1	0x7054	Standard query (0)	ptxmhgbxv.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.930895090 CEST	192.168.11.30	1.1.1.1	0x34ec	Standard query (0)	bsnmkqvxz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.064742088 CEST	192.168.11.30	1.1.1.1	0xbb60	Standard query (0)	ybgddyiuljpt.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.298084021 CEST	192.168.11.30	1.1.1.1	0x614c	Standard query (0)	wooovgmc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.432023048 CEST	192.168.11.30	1.1.1.1	0x57de	Standard query (0)	pmblwd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.566133022 CEST	192.168.11.30	1.1.1.1	0x3170	Standard query (0)	owfvaiicb.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.753295898 CEST	192.168.11.30	1.1.1.1	0x5098	Standard query (0)	rdnmtqyabal.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.958858013 CEST	192.168.11.30	1.1.1.1	0x61cc	Standard query (0)	cnzthi.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.123764992 CEST	192.168.11.30	1.1.1.1	0x2dc	Standard query (0)	ucrkhizrjle.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.261499882 CEST	192.168.11.30	1.1.1.1	0x122b	Standard query (0)	lbrmhwh.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.397197008 CEST	192.168.11.30	1.1.1.1	0xa25d	Standard query (0)	aipoxmkfh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.595206976 CEST	192.168.11.30	1.1.1.1	0x15ec	Standard query (0)	pznkbhqy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.760750055 CEST	192.168.11.30	1.1.1.1	0x5dcf	Standard query (0)	zytaxmwmimp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.948093891 CEST	192.168.11.30	1.1.1.1	0xd4e5	Standard query (0)	nhblvtkhsosr.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.158763885 CEST	192.168.11.30	1.1.1.1	0x8b2a	Standard query (0)	xuaibkgv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.466414928 CEST	192.168.11.30	1.1.1.1	0x13ba	Standard query (0)	isagooiqeu.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.599704981 CEST	192.168.11.30	1.1.1.1	0x127c	Standard query (0)	kapmdmvanjh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.734457970 CEST	192.168.11.30	1.1.1.1	0x40e0	Standard query (0)	iavgymgybax.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.867594004 CEST	192.168.11.30	1.1.1.1	0xd8f8	Standard query (0)	bgzsdevk.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.034259081 CEST	192.168.11.30	1.1.1.1	0x4d4e	Standard query (0)	uweeaaosgi.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.167839050 CEST	192.168.11.30	1.1.1.1	0x4aee	Standard query (0)	lsnsgqnhjek.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.303669930 CEST	192.168.11.30	1.1.1.1	0xbf34	Standard query (0)	fkfstwvpdih.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.439383984 CEST	192.168.11.30	1.1.1.1	0xc28a	Standard query (0)	igkawu.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.620383024 CEST	192.168.11.30	1.1.1.1	0x57e9	Standard query (0)	oqecuy.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.752687931 CEST	192.168.11.30	1.1.1.1	0x83fb	Standard query (0)	igpcvkvzb.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.887547016 CEST	192.168.11.30	1.1.1.1	0x48f4	Standard query (0)	sopgmznouqlh.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.054512978 CEST	192.168.11.30	1.1.1.1	0x686	Standard query (0)	rihbjuh.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.190884113 CEST	192.168.11.30	1.1.1.1	0x749a	Standard query (0)	vafwzud.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.335915089 CEST	192.168.11.30	1.1.1.1	0x5d36	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.357505083 CEST	192.168.11.30	1.1.1.1	0x3d0e	Standard query (0)	cyldvylo.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.491775990 CEST	192.168.11.30	1.1.1.1	0x7741	Standard query (0)	jwlihfftrqf.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.660141945 CEST	192.168.11.30	1.1.1.1	0xc3aa	Standard query (0)	eqarlsfwjfba.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.795521975 CEST	192.168.11.30	1.1.1.1	0x8242	Standard query (0)	mbrwiditjn.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.930398941 CEST	192.168.11.30	1.1.1.1	0x4220	Standard query (0)	cceywm.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:45.162209034 CEST	192.168.11.30	1.1.1.1	0x1853	Standard query (0)	zcdwpozkfvv.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.334391117 CEST	192.168.11.30	1.1.1.1	0xfcd0	Standard query (0)	uuiwkq.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.502665997 CEST	192.168.11.30	1.1.1.1	0xad95	Standard query (0)	gwcisuuo.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.639245987 CEST	192.168.11.30	1.1.1.1	0x5ebd	Standard query (0)	amvrxrvzrwqn.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.806818962 CEST	192.168.11.30	1.1.1.1	0x9ffb	Standard query (0)	wlsgkd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.973702908 CEST	192.168.11.30	1.1.1.1	0x8bed	Standard query (0)	ulfcsvuc.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.108383894 CEST	192.168.11.30	1.1.1.1	0xa445	Standard query (0)	hyloumvvua.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.241571903 CEST	192.168.11.30	1.1.1.1	0x7735	Standard query (0)	yhonummhox.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.377475977 CEST	192.168.11.30	1.1.1.1	0x21a	Standard query (0)	fexrcuretv.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.514941931 CEST	192.168.11.30	1.1.1.1	0xa26e	Standard query (0)	hzsnry.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.695317984 CEST	192.168.11.30	1.1.1.1	0xa44e	Standard query (0)	ffofvkbozxfp.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.829531908 CEST	192.168.11.30	1.1.1.1	0x7468	Standard query (0)	mfxrrezr.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.974812984 CEST	192.168.11.30	1.1.1.1	0x8a43	Standard query (0)	ftpehwlaf.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:50.145515919 CEST	192.168.11.30	1.1.1.1	0x111f	Standard query (0)	muosqoie.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:50.769799948 CEST	192.168.11.30	1.1.1.1	0xd9d4	Standard query (0)	www.imdb.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.453795910 CEST	192.168.11.30	1.1.1.1	0xbdd3	Standard query (0)	tawibizuloh.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.687098980 CEST	192.168.11.30	1.1.1.1	0xcdac	Standard query (0)	uivmnckkpij.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.771187067 CEST	192.168.11.30	1.1.1.1	0xd902	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.821186066 CEST	192.168.11.30	1.1.1.1	0x3843	Standard query (0)	icdthcm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.954644918 CEST	192.168.11.30	1.1.1.1	0xd6ff	Standard query (0)	xffltdug.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.087939978 CEST	192.168.11.30	1.1.1.1	0x2d47	Standard query (0)	pomobah.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.253166914 CEST	192.168.11.30	1.1.1.1	0x1a3c	Standard query (0)	kwslgsua.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.385368109 CEST	192.168.11.30	1.1.1.1	0x1619	Standard query (0)	neklmjvt.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.553011894 CEST	192.168.11.30	1.1.1.1	0x2388	Standard query (0)	eyngxwxvv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.688724041 CEST	192.168.11.30	1.1.1.1	0x1305	Standard query (0)	kiooigv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.820857048 CEST	192.168.11.30	1.1.1.1	0xc9b	Standard query (0)	ngtlglf.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.048594952 CEST	192.168.11.30	1.1.1.1	0xc709	Standard query (0)	bsvkxs.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.215699911 CEST	192.168.11.30	1.1.1.1	0x1fed	Standard query (0)	xmvcfdcsymv.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.396856070 CEST	192.168.11.30	1.1.1.1	0x1384	Standard query (0)	jqxkxrg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.575463057 CEST	192.168.11.30	1.1.1.1	0x9c87	Standard query (0)	dwpqgivmpx.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.742520094 CEST	192.168.11.30	1.1.1.1	0x9dca	Standard query (0)	blygpfuqsf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.949686050 CEST	192.168.11.30	1.1.1.1	0x1b95	Standard query (0)	kscoccomsc.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.083051920 CEST	192.168.11.30	1.1.1.1	0x6e91	Standard query (0)	onlmeofrwh.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.216909885 CEST	192.168.11.30	1.1.1.1	0xde12	Standard query (0)	lzemrstoe.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.519056082 CEST	192.168.11.30	1.1.1.1	0x9d49	Standard query (0)	buzxzusv.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.658297062 CEST	192.168.11.30	1.1.1.1	0xfc06	Standard query (0)	txflaunynf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.790200949 CEST	192.168.11.30	1.1.1.1	0x5c46	Standard query (0)	dekwdrys.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.923935890 CEST	192.168.11.30	1.1.1.1	0x9c4e	Standard query (0)	pfzvtdg.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.058650970 CEST	192.168.11.30	1.1.1.1	0x9e05	Standard query (0)	gsdusg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.271853924 CEST	192.168.11.30	1.1.1.1	0xb423	Standard query (0)	nmubfz.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.405524015 CEST	192.168.11.30	1.1.1.1	0x1144	Standard query (0)	gurklthyhkv.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.551872969 CEST	192.168.11.30	1.1.1.1	0x4d39	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.572380066 CEST	192.168.11.30	1.1.1.1	0x8cb0	Standard query (0)	zuxymd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.779550076 CEST	192.168.11.30	1.1.1.1	0xad88	Standard query (0)	ygqeguwiogqi.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.914220095 CEST	192.168.11.30	1.1.1.1	0x7ffb	Standard query (0)	kqpsemrav.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.112750053 CEST	192.168.11.30	1.1.1.1	0x2221	Standard query (0)	aqwogctkcig.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.280780077 CEST	192.168.11.30	1.1.1.1	0x4b61	Standard query (0)	lhlsksy.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.466389894 CEST	192.168.11.30	1.1.1.1	0x85e9	Standard query (0)	mimmqwaykqia.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.647207022 CEST	192.168.11.30	1.1.1.1	0xec04	Standard query (0)	scpzbmxklu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.709202051 CEST	192.168.11.30	1.1.1.1	0xf3d7	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.780714035 CEST	192.168.11.30	1.1.1.1	0xe826	Standard query (0)	emrmaigh.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.915333986 CEST	192.168.11.30	1.1.1.1	0x1b26	Standard query (0)	mhposkbsmfgm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.052649975 CEST	192.168.11.30	1.1.1.1	0x66	Standard query (0)	msrrjwyrm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.260301113 CEST	192.168.11.30	1.1.1.1	0x6d6e	Standard query (0)	evftriicx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.563123941 CEST	192.168.11.30	1.1.1.1	0x7eda	Standard query (0)	yqwmiy.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.731981039 CEST	192.168.11.30	1.1.1.1	0x8d42	Standard query (0)	kgsysa.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.867403984 CEST	192.168.11.30	1.1.1.1	0x6ecb	Standard query (0)	rreezoiqbg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.004115105 CEST	192.168.11.30	1.1.1.1	0xe221	Standard query (0)	wkzfaedg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.188419104 CEST	192.168.11.30	1.1.1.1	0x49cf	Standard query (0)	dkxmvos.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.323312044 CEST	192.168.11.30	1.1.1.1	0xc715	Standard query (0)	tqfbxlwpvsip.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.524643898 CEST	192.168.11.30	1.1.1.1	0x6966	Standard query (0)	koindl.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.661382914 CEST	192.168.11.30	1.1.1.1	0xa2f8	Standard query (0)	yumqcygsqk.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.828836918 CEST	192.168.11.30	1.1.1.1	0xa6cf	Standard query (0)	vopsaqf.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.010289907 CEST	192.168.11.30	1.1.1.1	0x2833	Standard query (0)	cobmtgsmfpx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.248405933 CEST	192.168.11.30	1.1.1.1	0x335f	Standard query (0)	qemkas.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.485439062 CEST	192.168.11.30	1.1.1.1	0x7db7	Standard query (0)	bqtaiujbh.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.627218962 CEST	192.168.11.30	1.1.1.1	0xb388	Standard query (0)	swswoussmc.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.763695002 CEST	192.168.11.30	1.1.1.1	0x80c	Standard query (0)	lkqdmkckr.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.901222944 CEST	192.168.11.30	1.1.1.1	0xb415	Standard query (0)	pmbixadyny.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.068640947 CEST	192.168.11.30	1.1.1.1	0x4c7f	Standard query (0)	mmvcfomuzgr.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.202337980 CEST	192.168.11.30	1.1.1.1	0x209f	Standard query (0)	dcbeeq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.347054958 CEST	192.168.11.30	1.1.1.1	0xce2e	Standard query (0)	zjkdtmzuul.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.483568907 CEST	192.168.11.30	1.1.1.1	0x3d4b	Standard query (0)	sizbtf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.790452003 CEST	192.168.11.30	1.1.1.1	0xb948	Standard query (0)	ksqlfmrx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.988261938 CEST	192.168.11.30	1.1.1.1	0x4576	Standard query (0)	hlrqvyg.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.158591032 CEST	192.168.11.30	1.1.1.1	0xd0fd	Standard query (0)	zohogepxhih.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.394155025 CEST	192.168.11.30	1.1.1.1	0x689c	Standard query (0)	trpwlxg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.692405939 CEST	192.168.11.30	1.1.1.1	0x71d6	Standard query (0)	qbhdsh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.990890026 CEST	192.168.11.30	1.1.1.1	0xa731	Standard query (0)	wxxacjxlvl.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.232785940 CEST	192.168.11.30	1.1.1.1	0xe0f8	Standard query (0)	cxdmdldfv.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.368508101 CEST	192.168.11.30	1.1.1.1	0x2ea	Standard query (0)	kiuwsu.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.501132011 CEST	192.168.11.30	1.1.1.1	0x4806	Standard query (0)	gtpyhzzsrd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.504079103 CEST	192.168.11.30	1.1.1.1	0x3422	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.639394045 CEST	192.168.11.30	1.1.1.1	0x2708	Standard query (0)	hcjufqt.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.892493010 CEST	192.168.11.30	1.1.1.1	0x37ad	Standard query (0)	pnraibr.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.138835907 CEST	192.168.11.30	1.1.1.1	0xee01	Standard query (0)	wljitkmmrsq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.306590080 CEST	192.168.11.30	1.1.1.1	0xaba6	Standard query (0)	qrkcmaiuj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.442756891 CEST	192.168.11.30	1.1.1.1	0xe3b6	Standard query (0)	uscpqm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.695008993 CEST	192.168.11.30	1.1.1.1	0x4523	Standard query (0)	ihpimdxy.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.895473957 CEST	192.168.11.30	1.1.1.1	0x7b4e	Standard query (0)	vwddzjzgjozz.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.062268972 CEST	192.168.11.30	1.1.1.1	0xeec9	Standard query (0)	yydylwx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.271080017 CEST	192.168.11.30	1.1.1.1	0xbbbd	Standard query (0)	vumilurpoatl.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.436827898 CEST	192.168.11.30	1.1.1.1	0x66be	Standard query (0)	urtmvkx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.573314905 CEST	192.168.11.30	1.1.1.1	0xfee4	Standard query (0)	vacovcj.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.706295967 CEST	192.168.11.30	1.1.1.1	0x3b6e	Standard query (0)	kuceigmowq.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.842514992 CEST	192.168.11.30	1.1.1.1	0x1627	Standard query (0)	eabmqsykas.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.976561069 CEST	192.168.11.30	1.1.1.1	0x818c	Standard query (0)	sanyfyesvat.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.112842083 CEST	192.168.11.30	1.1.1.1	0x952e	Standard query (0)	yjhofwlx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.433726072 CEST	192.168.11.30	1.1.1.1	0xa28e	Standard query (0)	dzxsldit.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.600706100 CEST	192.168.11.30	1.1.1.1	0xa3e0	Standard query (0)	pxmwgq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.769215107 CEST	192.168.11.30	1.1.1.1	0x5bc7	Standard query (0)	xjzmxageg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.905606985 CEST	192.168.11.30	1.1.1.1	0x66e0	Standard query (0)	jovzeem.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.208652973 CEST	192.168.11.30	1.1.1.1	0xac7d	Standard query (0)	xkntthpajft.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.390111923 CEST	192.168.11.30	1.1.1.1	0xc445	Standard query (0)	fiyhxjvgsqb.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.526298046 CEST	192.168.11.30	1.1.1.1	0xbe29	Standard query (0)	teyrdsuc.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.663937092 CEST	192.168.11.30	1.1.1.1	0xfb93	Standard query (0)	xqhrxqoh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.799264908 CEST	192.168.11.30	1.1.1.1	0x853e	Standard query (0)	huocyhaakf.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.966694117 CEST	192.168.11.30	1.1.1.1	0x3e16	Standard query (0)	hagojezpc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.185673952 CEST	192.168.11.30	1.1.1.1	0xb3e0	Standard query (0)	ksqeyvwh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.268300056 CEST	192.168.11.30	1.1.1.1	0x344a	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.368194103 CEST	192.168.11.30	1.1.1.1	0xb2c8	Standard query (0)	rsgzts.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.576735020 CEST	192.168.11.30	1.1.1.1	0x8cc9	Standard query (0)	agvocmd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.709969997 CEST	192.168.11.30	1.1.1.1	0x6b12	Standard query (0)	wuzupehil.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.846354961 CEST	192.168.11.30	1.1.1.1	0x13fe	Standard query (0)	emxwaolfpmi.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.982986927 CEST	192.168.11.30	1.1.1.1	0xb407	Standard query (0)	wccbxqqoyoy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.150525093 CEST	192.168.11.30	1.1.1.1	0x42d9	Standard query (0)	tbyoyvhnfv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.452133894 CEST	192.168.11.30	1.1.1.1	0x8801	Standard query (0)	ffxhdkyy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.621052027 CEST	192.168.11.30	1.1.1.1	0x5bc1	Standard query (0)	bkeybclmy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.787724972 CEST	192.168.11.30	1.1.1.1	0x6fdd	Standard query (0)	wtflhxja.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.957937956 CEST	192.168.11.30	1.1.1.1	0xd0b1	Standard query (0)	bflthq.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.101537943 CEST	192.168.11.30	1.1.1.1	0x3258	Standard query (0)	voqtbrbz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.235846043 CEST	192.168.11.30	1.1.1.1	0xa037	Standard query (0)	rjmynwz.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.551903963 CEST	192.168.11.30	1.1.1.1	0xcd98	Standard query (0)	fmpsoxtsv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.796868086 CEST	192.168.11.30	1.1.1.1	0x8d3a	Standard query (0)	vafyutroz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.995796919 CEST	192.168.11.30	1.1.1.1	0xe344	Standard query (0)	nzmtkansch.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.248888969 CEST	192.168.11.30	1.1.1.1	0x3634	Standard query (0)	aulokytqd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.563143015 CEST	192.168.11.30	1.1.1.1	0xb21	Standard query (0)	igousuia.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.737648010 CEST	192.168.11.30	1.1.1.1	0x98c4	Standard query (0)	gmwsmkuo.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.869527102 CEST	192.168.11.30	1.1.1.1	0xbc31	Standard query (0)	ahpirreonw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.037353992 CEST	192.168.11.30	1.1.1.1	0xa427	Standard query (0)	vmasuhbokayf.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.065087080 CEST	192.168.11.30	1.1.1.1	0xe3e0	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.210278034 CEST	192.168.11.30	1.1.1.1	0x93f	Standard query (0)	horzaw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.346364021 CEST	192.168.11.30	1.1.1.1	0xa1e6	Standard query (0)	rboarkztdep.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.479967117 CEST	192.168.11.30	1.1.1.1	0x6210	Standard query (0)	nocrzsq.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.731198072 CEST	192.168.11.30	1.1.1.1	0xa112	Standard query (0)	vgybvjppdvve.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.899132013 CEST	192.168.11.30	1.1.1.1	0x8bcb	Standard query (0)	ohtkxxg.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:14.034751892 CEST	192.168.11.30	1.1.1.1	0x9e38	Standard query (0)	xroqdulwju.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:14.286571980 CEST	192.168.11.30	1.1.1.1	0x3101	Standard query (0)	jmvozxx.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:17.532160997 CEST	192.168.11.30	1.1.1.1	0xb73	Standard query (0)	fgryrzlwv.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:17.837760925 CEST	192.168.11.30	1.1.1.1	0xea93	Standard query (0)	dilmlovovkn.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:17.974606991 CEST	192.168.11.30	1.1.1.1	0xd13d	Standard query (0)	cqockgwssaik.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.112304926 CEST	192.168.11.30	1.1.1.1	0x65a1	Standard query (0)	upvncjsnxw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.280862093 CEST	192.168.11.30	1.1.1.1	0x7c20	Standard query (0)	tyruco.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.415339947 CEST	192.168.11.30	1.1.1.1	0x485f	Standard query (0)	hiuqnlsktyn.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.550473928 CEST	192.168.11.30	1.1.1.1	0x13a8	Standard query (0)	agakymgcigsw.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.785860062 CEST	192.168.11.30	1.1.1.1	0x2873	Standard query (0)	nercgrv.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.921432018 CEST	192.168.11.30	1.1.1.1	0x4b65	Standard query (0)	wcasugikao.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.093174934 CEST	192.168.11.30	1.1.1.1	0x25e0	Standard query (0)	oasiou.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.229320049 CEST	192.168.11.30	1.1.1.1	0x85cb	Standard query (0)	qstyvuo.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.427567005 CEST	192.168.11.30	1.1.1.1	0xfa3	Standard query (0)	cufjtiyoj.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.646583080 CEST	192.168.11.30	1.1.1.1	0x2cdf	Standard query (0)	revndeg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.910707951 CEST	192.168.11.30	1.1.1.1	0xb175	Standard query (0)	sxwhjlvgpu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.045496941 CEST	192.168.11.30	1.1.1.1	0x80fa	Standard query (0)	magkesswuu.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.212366104 CEST	192.168.11.30	1.1.1.1	0xe212	Standard query (0)	lwsned.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.347815037 CEST	192.168.11.30	1.1.1.1	0x1350	Standard query (0)	tdfenz.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.439129114 CEST	192.168.11.30	1.1.1.1	0x67ce	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.536597013 CEST	192.168.11.30	1.1.1.1	0xcb8b	Standard query (0)	jbvspwqifcl.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.703058004 CEST	192.168.11.30	1.1.1.1	0x4098	Standard query (0)	cewoiimcwmow.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.001287937 CEST	192.168.11.30	1.1.1.1	0x1852	Standard query (0)	wrdtfuwqu.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.136564970 CEST	192.168.11.30	1.1.1.1	0x65b6	Standard query (0)	mwgyka.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.271790028 CEST	192.168.11.30	1.1.1.1	0xe866	Standard query (0)	ciqcimgqce.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.409508944 CEST	192.168.11.30	1.1.1.1	0x7ac5	Standard query (0)	pcvsdovpp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.543056011 CEST	192.168.11.30	1.1.1.1	0x38f3	Standard query (0)	lpysix.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.678983927 CEST	192.168.11.30	1.1.1.1	0x92de	Standard query (0)	ogeltrlncszo.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.860831976 CEST	192.168.11.30	1.1.1.1	0x9fe7	Standard query (0)	nxctobwc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.998054028 CEST	192.168.11.30	1.1.1.1	0xf6a	Standard query (0)	pnmplsbbix.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:25.204174042 CEST	192.168.11.30	1.1.1.1	0xac92	Standard query (0)	awoumowqyw.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:28.732544899 CEST	192.168.11.30	1.1.1.1	0xf9a0	Standard query (0)	dkuujwkup.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:28.868313074 CEST	192.168.11.30	1.1.1.1	0x949a	Standard query (0)	zfrhqybxtdeg.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.005860090 CEST	192.168.11.30	1.1.1.1	0x595e	Standard query (0)	egvabsriwel.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.176175117 CEST	192.168.11.30	1.1.1.1	0xf5eb	Standard query (0)	wgiusyackwya.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.314455032 CEST	192.168.11.30	1.1.1.1	0x1ace	Standard query (0)	uugiiqomoa.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.449090958 CEST	192.168.11.30	1.1.1.1	0xb80f	Standard query (0)	zszagqbuxtu.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.530795097 CEST	192.168.11.30	1.1.1.1	0x9f67	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.586075068 CEST	192.168.11.30	1.1.1.1	0x7feb	Standard query (0)	dskcygp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.754332066 CEST	192.168.11.30	1.1.1.1	0xbb4a	Standard query (0)	hevkrkpespf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.888900995 CEST	192.168.11.30	1.1.1.1	0xb97a	Standard query (0)	bmpdmba.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.056337118 CEST	192.168.11.30	1.1.1.1	0x147e	Standard query (0)	xssrxcm.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.226068974 CEST	192.168.11.30	1.1.1.1	0xcc5e	Standard query (0)	fygwaqxgysw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.429393053 CEST	192.168.11.30	1.1.1.1	0xb9e9	Standard query (0)	mcuklboyykac.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.565179110 CEST	192.168.11.30	1.1.1.1	0xbf44	Standard query (0)	bqwstab.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.700186014 CEST	192.168.11.30	1.1.1.1	0xfb01	Standard query (0)	wqwmek.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.939871073 CEST	192.168.11.30	1.1.1.1	0xc935	Standard query (0)	agfqpjgnocco.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.072240114 CEST	192.168.11.30	1.1.1.1	0xbfa4	Standard query (0)	jefodozzl.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.207207918 CEST	192.168.11.30	1.1.1.1	0x93b7	Standard query (0)	gsukcsgacuic.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.342436075 CEST	192.168.11.30	1.1.1.1	0x5666	Standard query (0)	yzbiymneerj.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.479990005 CEST	192.168.11.30	1.1.1.1	0x1424	Standard query (0)	nsnqdit.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.776096106 CEST	192.168.11.30	1.1.1.1	0x3207	Standard query (0)	kvywsfyj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.945789099 CEST	192.168.11.30	1.1.1.1	0x5b7e	Standard query (0)	zaplzz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:32.082159996 CEST	192.168.11.30	1.1.1.1	0x7a92	Standard query (0)	dwtopsisx.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:35.508886099 CEST	192.168.11.30	1.1.1.1	0xb18c	Standard query (0)	iilirx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:35.716840029 CEST	192.168.11.30	1.1.1.1	0x9ef3	Standard query (0)	zmzaasi.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:35.885670900 CEST	192.168.11.30	1.1.1.1	0xed2	Standard query (0)	rozslge.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.019810915 CEST	192.168.11.30	1.1.1.1	0x8c25	Standard query (0)	kgswyswsms.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.188375950 CEST	192.168.11.30	1.1.1.1	0x481b	Standard query (0)	oasmcuggak.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.324055910 CEST	192.168.11.30	1.1.1.1	0x5470	Standard query (0)	ravbrdlcxepx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.459127903 CEST	192.168.11.30	1.1.1.1	0x996c	Standard query (0)	mgjyyduwwax.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.681737900 CEST	192.168.11.30	1.1.1.1	0x9104	Standard query (0)	fduvhdv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.814660072 CEST	192.168.11.30	1.1.1.1	0x3db3	Standard query (0)	cywqlsx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.919897079 CEST	192.168.11.30	1.1.1.1	0x4be0	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.031027079 CEST	192.168.11.30	1.1.1.1	0xb159	Standard query (0)	egwkmsqm.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.198709965 CEST	192.168.11.30	1.1.1.1	0xfcc1	Standard query (0)	osxpaprezyg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.410093069 CEST	192.168.11.30	1.1.1.1	0xbfa1	Standard query (0)	ovmlyfsbvepf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.550668955 CEST	192.168.11.30	1.1.1.1	0xe8fc	Standard query (0)	xvhkkg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.687758923 CEST	192.168.11.30	1.1.1.1	0x3d81	Standard query (0)	lozupqunl.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.899818897 CEST	192.168.11.30	1.1.1.1	0x2919	Standard query (0)	rafoaiduv.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.035335064 CEST	192.168.11.30	1.1.1.1	0x2034	Standard query (0)	xixshgqsnxdm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.172792912 CEST	192.168.11.30	1.1.1.1	0x4927	Standard query (0)	pspexyjytqa.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.310612917 CEST	192.168.11.30	1.1.1.1	0x87c5	Standard query (0)	ktljlgcrkwv.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.477615118 CEST	192.168.11.30	1.1.1.1	0x8ab6	Standard query (0)	flmbvdibho.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.616976976 CEST	192.168.11.30	1.1.1.1	0x73b8	Standard query (0)	nwtltucdgxci.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.824876070 CEST	192.168.11.30	1.1.1.1	0x739	Standard query (0)	gemckmkqmeim.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:41.998590946 CEST	192.168.11.30	1.1.1.1	0xbfe3	Standard query (0)	qycosiiiykcy.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.135379076 CEST	192.168.11.30	1.1.1.1	0x62cd	Standard query (0)	zpryru.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.271543026 CEST	192.168.11.30	1.1.1.1	0xede6	Standard query (0)	lwlihog.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.410033941 CEST	192.168.11.30	1.1.1.1	0x529b	Standard query (0)	wuhkrrpew.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.668812037 CEST	192.168.11.30	1.1.1.1	0xb5c0	Standard query (0)	bonydwj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.804936886 CEST	192.168.11.30	1.1.1.1	0x7368	Standard query (0)	www.bbc.co.uk	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.837740898 CEST	192.168.11.30	1.1.1.1	0xc1e0	Standard query (0)	gifjwknnsa.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.972775936 CEST	192.168.11.30	1.1.1.1	0xb508	Standard query (0)	uagoeg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.236644030 CEST	192.168.11.30	1.1.1.1	0x1068	Standard query (0)	hosplypcd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.403394938 CEST	192.168.11.30	1.1.1.1	0x1933	Standard query (0)	kepiqy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.571538925 CEST	192.168.11.30	1.1.1.1	0xc498	Standard query (0)	skpxwstkygr.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.705096006 CEST	192.168.11.30	1.1.1.1	0xaa31	Standard query (0)	jcyusd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.926253080 CEST	192.168.11.30	1.1.1.1	0x8a09	Standard query (0)	ekojonrx.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.095637083 CEST	192.168.11.30	1.1.1.1	0x91a7	Standard query (0)	bgiqmzak.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.305754900 CEST	192.168.11.30	1.1.1.1	0x5b62	Standard query (0)	pqdwhoyqfyr.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.440424919 CEST	192.168.11.30	1.1.1.1	0xc8e	Standard query (0)	qledvhmwtgj.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.606043100 CEST	192.168.11.30	1.1.1.1	0x2caf	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.649853945 CEST	192.168.11.30	1.1.1.1	0xf11e	Standard query (0)	cvpprc.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.785608053 CEST	192.168.11.30	1.1.1.1	0xc50	Standard query (0)	zwphhjux.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.922159910 CEST	192.168.11.30	1.1.1.1	0x54b4	Standard query (0)	mepqfzed.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.060472012 CEST	192.168.11.30	1.1.1.1	0x63d2	Standard query (0)	khhwhgysu.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.195957899 CEST	192.168.11.30	1.1.1.1	0xbd3d	Standard query (0)	tjzaiyhoayd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.330426931 CEST	192.168.11.30	1.1.1.1	0xa527	Standard query (0)	wcikfayz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.541280031 CEST	192.168.11.30	1.1.1.1	0xb7a0	Standard query (0)	ftyayhvid.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.711361885 CEST	192.168.11.30	1.1.1.1	0x9bcb	Standard query (0)	htcdxnm.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.744759083 CEST	192.168.11.30	1.1.1.1	0xd187	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:48.947699070 CEST	192.168.11.30	1.1.1.1	0x78b0	Standard query (0)	eumiqrniuuj.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.083225965 CEST	192.168.11.30	1.1.1.1	0x968e	Standard query (0)	ukamqol.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.251451969 CEST	192.168.11.30	1.1.1.1	0x201e	Standard query (0)	kyszrzmuawj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.418332100 CEST	192.168.11.30	1.1.1.1	0x4f65	Standard query (0)	gvsvxirhjhmc.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.605550051 CEST	192.168.11.30	1.1.1.1	0x71e3	Standard query (0)	zavcnar.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.739710093 CEST	192.168.11.30	1.1.1.1	0x4c7d	Standard query (0)	fdnkvsylwiz.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.949956894 CEST	192.168.11.30	1.1.1.1	0xcbbb	Standard query (0)	otmccjnozm.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.118576050 CEST	192.168.11.30	1.1.1.1	0x5689	Standard query (0)	umcaqskg.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.252131939 CEST	192.168.11.30	1.1.1.1	0xbb57	Standard query (0)	ttnbfk.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.420017958 CEST	192.168.11.30	1.1.1.1	0xd50b	Standard query (0)	ryxedahgvtlu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.586915016 CEST	192.168.11.30	1.1.1.1	0x9085	Standard query (0)	bnuclyrxygnf.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.721501112 CEST	192.168.11.30	1.1.1.1	0x6613	Standard query (0)	coxovsu.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:51.712886095 CEST	192.168.11.30	1.1.1.1	0x33f2	Standard query (0)	ryxqnubutjv.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:51.847227097 CEST	192.168.11.30	1.1.1.1	0x78a1	Standard query (0)	zyzubzht.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:51.982026100 CEST	192.168.11.30	1.1.1.1	0x9c0	Standard query (0)	qqbnhgbsqxd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.148946047 CEST	192.168.11.30	1.1.1.1	0x16cb	Standard query (0)	fxzpqzqd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.358076096 CEST	192.168.11.30	1.1.1.1	0x107d	Standard query (0)	pzavkbwk.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.399060965 CEST	192.168.11.30	1.1.1.1	0x8680	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.526359081 CEST	192.168.11.30	1.1.1.1	0xc3be	Standard query (0)	tlbiku.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.659454107 CEST	192.168.11.30	1.1.1.1	0x532c	Standard query (0)	vupjfqd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.795188904 CEST	192.168.11.30	1.1.1.1	0xb8fd	Standard query (0)	cmixxszxrf.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.930325031 CEST	192.168.11.30	1.1.1.1	0x8d0a	Standard query (0)	hintqdku.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.098484039 CEST	192.168.11.30	1.1.1.1	0xe005	Standard query (0)	bwvdpivgkbq.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.390530109 CEST	192.168.11.30	1.1.1.1	0x5262	Standard query (0)	ybwgqhqrij.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.524136066 CEST	192.168.11.30	1.1.1.1	0x30fc	Standard query (0)	teewxe.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.750977039 CEST	192.168.11.30	1.1.1.1	0x557f	Standard query (0)	aubohelcvlm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.044800997 CEST	192.168.11.30	1.1.1.1	0x255d	Standard query (0)	rnrbzaiv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.281815052 CEST	192.168.11.30	1.1.1.1	0x5c08	Standard query (0)	uwpdwvsp.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.589972973 CEST	192.168.11.30	1.1.1.1	0xc1d0	Standard query (0)	trmpbuwu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.722759008 CEST	192.168.11.30	1.1.1.1	0x2532	Standard query (0)	mkouldrk.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.835540056 CEST	192.168.11.30	1.1.1.1	0xe4df	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.857971907 CEST	192.168.11.30	1.1.1.1	0x5b63	Standard query (0)	dadqeqrbmhkp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.025285959 CEST	192.168.11.30	1.1.1.1	0x5426	Standard query (0)	pguuxfdjxm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.235795975 CEST	192.168.11.30	1.1.1.1	0x857b	Standard query (0)	voisfho.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.537533998 CEST	192.168.11.30	1.1.1.1	0x73cf	Standard query (0)	aamsoqwekwec.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.721199036 CEST	192.168.11.30	1.1.1.1	0xdce8	Standard query (0)	jcasyzwnyb.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.856214046 CEST	192.168.11.30	1.1.1.1	0x1e3d	Standard query (0)	kzzieqwxrfgm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.990683079 CEST	192.168.11.30	1.1.1.1	0x840f	Standard query (0)	hoacxkhcaot.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.125519037 CEST	192.168.11.30	1.1.1.1	0xa7f6	Standard query (0)	bqyuiihdvkwp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.291580915 CEST	192.168.11.30	1.1.1.1	0x47d8	Standard query (0)	ykvsdehnbic.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.457935095 CEST	192.168.11.30	1.1.1.1	0x36cc	Standard query (0)	mdabnbhqftj.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.691026926 CEST	192.168.11.30	1.1.1.1	0xdb5	Standard query (0)	gqiugkyksc.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.825618982 CEST	192.168.11.30	1.1.1.1	0x3be3	Standard query (0)	bgkwjol.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.011589050 CEST	192.168.11.30	1.1.1.1	0x6346	Standard query (0)	ucrxnssd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.176898003 CEST	192.168.11.30	1.1.1.1	0x9795	Standard query (0)	faasdt.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.388931036 CEST	192.168.11.30	1.1.1.1	0x2130	Standard query (0)	ozsqpqy.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.525916100 CEST	192.168.11.30	1.1.1.1	0x2897	Standard query (0)	niyutxia.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.660623074 CEST	192.168.11.30	1.1.1.1	0x5d61	Standard query (0)	tqpofcjab.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.828598022 CEST	192.168.11.30	1.1.1.1	0x7ab5	Standard query (0)	terdonh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.039510012 CEST	192.168.11.30	1.1.1.1	0x2494	Standard query (0)	vsmntqmv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.356168032 CEST	192.168.11.30	1.1.1.1	0x1197	Standard query (0)	vjjuxotcr.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.492325068 CEST	192.168.11.30	1.1.1.1	0x1e37	Standard query (0)	pycyjn.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.707912922 CEST	192.168.11.30	1.1.1.1	0x2a9b	Standard query (0)	zryswp.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.875504971 CEST	192.168.11.30	1.1.1.1	0xc159	Standard query (0)	iffkftv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.009589911 CEST	192.168.11.30	1.1.1.1	0x3d85	Standard query (0)	puvxcbhx.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.146507978 CEST	192.168.11.30	1.1.1.1	0x54ab	Standard query (0)	vwuhtwjkiukd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.287482023 CEST	192.168.11.30	1.1.1.1	0xb150	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.380774975 CEST	192.168.11.30	1.1.1.1	0x6db8	Standard query (0)	rqlmrcbc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.515264988 CEST	192.168.11.30	1.1.1.1	0x8393	Standard query (0)	ayocmawe.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.650487900 CEST	192.168.11.30	1.1.1.1	0x576e	Standard query (0)	akyndev.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.951936007 CEST	192.168.11.30	1.1.1.1	0x1df	Standard query (0)	jnqmtia.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.084130049 CEST	192.168.11.30	1.1.1.1	0x4703	Standard query (0)	pqjmoi.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.250597000 CEST	192.168.11.30	1.1.1.1	0x88ec	Standard query (0)	hcgosj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.418502092 CEST	192.168.11.30	1.1.1.1	0xdc7f	Standard query (0)	ocowiwigou.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.443864107 CEST	192.168.11.30	1.1.1.1	0x757c	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.552272081 CEST	192.168.11.30	1.1.1.1	0x985	Standard query (0)	yjtugxbx.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.689439058 CEST	192.168.11.30	1.1.1.1	0xc5ce	Standard query (0)	gbekjlws.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.823631048 CEST	192.168.11.30	1.1.1.1	0xa72e	Standard query (0)	nkrqzg.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.957568884 CEST	192.168.11.30	1.1.1.1	0x98be	Standard query (0)	uzpknqpehid.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.154458046 CEST	192.168.11.30	1.1.1.1	0x4098	Standard query (0)	sgdyfbvwe.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.291104078 CEST	192.168.11.30	1.1.1.1	0x83a1	Standard query (0)	iaimiwaw.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.456621885 CEST	192.168.11.30	1.1.1.1	0xc1b6	Standard query (0)	rcxvkunydmr.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.593631029 CEST	192.168.11.30	1.1.1.1	0xd318	Standard query (0)	meyuyaewaogs.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.891725063 CEST	192.168.11.30	1.1.1.1	0x1971	Standard query (0)	ksmggayg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:02.027658939 CEST	192.168.11.30	1.1.1.1	0x40fa	Standard query (0)	xkesrsk.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:04.912002087 CEST	192.168.11.30	1.1.1.1	0xdd5a	Standard query (0)	whatismyip.everdot.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.270987988 CEST	192.168.11.30	1.1.1.1	0xe4ee	Standard query (0)	htdnxe.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.437107086 CEST	192.168.11.30	1.1.1.1	0xa62e	Standard query (0)	djlijkrol.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.610394001 CEST	192.168.11.30	1.1.1.1	0x3b1e	Standard query (0)	hfmmrpaa.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.744123936 CEST	192.168.11.30	1.1.1.1	0xfa30	Standard query (0)	rqrglipkoyb.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.910861015 CEST	192.168.11.30	1.1.1.1	0x483	Standard query (0)	eobhpynq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.051698923 CEST	192.168.11.30	1.1.1.1	0xf13c	Standard query (0)	www.whatismyip.ca	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.077606916 CEST	192.168.11.30	1.1.1.1	0xab85	Standard query (0)	tchyfuocxrc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.279476881 CEST	192.168.11.30	1.1.1.1	0x9c33	Standard query (0)	gshaoi.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.508794069 CEST	192.168.11.30	1.1.1.1	0xb2c4	Standard query (0)	giglhwhuby.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.677675009 CEST	192.168.11.30	1.1.1.1	0x40fe	Standard query (0)	hamsvogno.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.812747002 CEST	192.168.11.30	1.1.1.1	0x52c9	Standard query (0)	ntcgvuryjee.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.948067904 CEST	192.168.11.30	1.1.1.1	0x45e3	Standard query (0)	qkwcuasm.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.083620071 CEST	192.168.11.30	1.1.1.1	0x31b2	Standard query (0)	dsklbkmbbx.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.292474031 CEST	192.168.11.30	1.1.1.1	0xcc2c	Standard query (0)	qmwoewqkaamo.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.457473993 CEST	192.168.11.30	1.1.1.1	0xe360	Standard query (0)	musmgsaw.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.597765923 CEST	192.168.11.30	1.1.1.1	0x86a7	Standard query (0)	jcfzmn.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.804894924 CEST	192.168.11.30	1.1.1.1	0x5f5	Standard query (0)	suzetmnq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.971553087 CEST	192.168.11.30	1.1.1.1	0x3650	Standard query (0)	nllqlqfxanom.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.104996920 CEST	192.168.11.30	1.1.1.1	0x661b	Standard query (0)	jubkwv.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.411901951 CEST	192.168.11.30	1.1.1.1	0xbb92	Standard query (0)	saxwjjjeb.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.545228958 CEST	192.168.11.30	1.1.1.1	0x3f88	Standard query (0)	keyuqaco.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.787936926 CEST	192.168.11.30	1.1.1.1	0x11ed	Standard query (0)	hzxvah.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.954477072 CEST	192.168.11.30	1.1.1.1	0xe9d7	Standard query (0)	qaciphd.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.121844053 CEST	192.168.11.30	1.1.1.1	0xbd4e	Standard query (0)	vgpckslqq.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.422920942 CEST	192.168.11.30	1.1.1.1	0xe271	Standard query (0)	qqikyaggkswy.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.602078915 CEST	192.168.11.30	1.1.1.1	0xac18	Standard query (0)	kwecii.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:12.905014038 CEST	192.168.11.30	1.1.1.1	0x754b	Standard query (0)	smtcrrm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.039949894 CEST	192.168.11.30	1.1.1.1	0xb785	Standard query (0)	rfqpbojltq.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.226073980 CEST	192.168.11.30	1.1.1.1	0x4ab0	Standard query (0)	waieucykau.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.360898972 CEST	192.168.11.30	1.1.1.1	0x8189	Standard query (0)	dieqnoxgfoxb.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.497730017 CEST	192.168.11.30	1.1.1.1	0x45a8	Standard query (0)	pqkcuqqnpqd.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.632421970 CEST	192.168.11.30	1.1.1.1	0xe093	Standard query (0)	hiazdcy.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.818116903 CEST	192.168.11.30	1.1.1.1	0x762a	Standard query (0)	kqpxtsgpzx.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.951265097 CEST	192.168.11.30	1.1.1.1	0x640a	Standard query (0)	vjvslqxmv.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.086193085 CEST	192.168.11.30	1.1.1.1	0xe265	Standard query (0)	otykmmxuwhs.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.303845882 CEST	192.168.11.30	1.1.1.1	0xffb	Standard query (0)	savdog.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.471139908 CEST	192.168.11.30	1.1.1.1	0x1c72	Standard query (0)	jgrfdugjau.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.639642954 CEST	192.168.11.30	1.1.1.1	0x1870	Standard query (0)	kkakqqayhyu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.785166025 CEST	192.168.11.30	1.1.1.1	0xb3ff	Standard query (0)	eedijewjab.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.970844984 CEST	192.168.11.30	1.1.1.1	0xbb55	Standard query (0)	hayarmmbzyv.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.136620045 CEST	192.168.11.30	1.1.1.1	0x90b7	Standard query (0)	cspcpap.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.271349907 CEST	192.168.11.30	1.1.1.1	0xc76a	Standard query (0)	phwbulosja.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.406755924 CEST	192.168.11.30	1.1.1.1	0xbb30	Standard query (0)	iaqmeowe.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.540358067 CEST	192.168.11.30	1.1.1.1	0x3897	Standard query (0)	bcnuzzk.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.677042961 CEST	192.168.11.30	1.1.1.1	0x58cb	Standard query (0)	nhzkbxtuxso.com	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.811647892 CEST	192.168.11.30	1.1.1.1	0x6b93	Standard query (0)	awbabah.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.944691896 CEST	192.168.11.30	1.1.1.1	0x8d12	Standard query (0)	qiaykqoaqe.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.178014040 CEST	192.168.11.30	1.1.1.1	0x9af	Standard query (0)	rigtmebyrwk.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.416313887 CEST	192.168.11.30	1.1.1.1	0xf72c	Standard query (0)	fyuftjcbykxh.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.551795959 CEST	192.168.11.30	1.1.1.1	0xaae4	Standard query (0)	bwvwvtkesnht.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.719321012 CEST	192.168.11.30	1.1.1.1	0x4c8d	Standard query (0)	ikvzsyc.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.906594038 CEST	192.168.11.30	1.1.1.1	0xc624	Standard query (0)	hztehanu.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.073424101 CEST	192.168.11.30	1.1.1.1	0xf4e7	Standard query (0)	qsiwcddk.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.206625938 CEST	192.168.11.30	1.1.1.1	0xf58c	Standard query (0)	drpgrw.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.373308897 CEST	192.168.11.30	1.1.1.1	0xc1c3	Standard query (0)	ocndbcf.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.609843969 CEST	192.168.11.30	1.1.1.1	0x61b0	Standard query (0)	pzhnljvmfru.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.776593924 CEST	192.168.11.30	1.1.1.1	0xeb91	Standard query (0)	nqhldiaq.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.911267996 CEST	192.168.11.30	1.1.1.1	0x737d	Standard query (0)	ejguppjem.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.045850039 CEST	192.168.11.30	1.1.1.1	0x25ac	Standard query (0)	ufvxhp.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.178642988 CEST	192.168.11.30	1.1.1.1	0x1fb	Standard query (0)	xilsfdgn.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.313116074 CEST	192.168.11.30	1.1.1.1	0xc45f	Standard query (0)	qkqsgqekyago.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:21.487586021 CEST	192.168.11.30	1.1.1.1	0xf771	Standard query (0)	jtbancuulki.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:21.653847933 CEST	192.168.11.30	1.1.1.1	0x967a	Standard query (0)	ykydrbpoxqpu.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:21.957401991 CEST	192.168.11.30	1.1.1.1	0xc967	Standard query (0)	gorfnmtwasl.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.125103951 CEST	192.168.11.30	1.1.1.1	0xff19	Standard query (0)	xnsamtpm.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.292558908 CEST	192.168.11.30	1.1.1.1	0x5ef2	Standard query (0)	pfqdbsyn.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.426474094 CEST	192.168.11.30	1.1.1.1	0x2ebe	Standard query (0)	euuoqg.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.660937071 CEST	192.168.11.30	1.1.1.1	0xa16e	Standard query (0)	vtbcnjvmwj.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.833848953 CEST	192.168.11.30	1.1.1.1	0x74a3	Standard query (0)	xfbeqk.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.970261097 CEST	192.168.11.30	1.1.1.1	0xdaac	Standard query (0)	pgglnkael.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:23.105150938 CEST	192.168.11.30	1.1.1.1	0xb9f7	Standard query (0)	buakrgp.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.341943026 CEST	192.168.11.30	1.1.1.1	0xe144	Standard query (0)	xthmhc.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.552638054 CEST	192.168.11.30	1.1.1.1	0x8776	Standard query (0)	ebzwtwgch.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.763279915 CEST	192.168.11.30	1.1.1.1	0xc2e	Standard query (0)	vispyytg.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.961076975 CEST	192.168.11.30	1.1.1.1	0x2cf8	Standard query (0)	nifigom.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.130109072 CEST	192.168.11.30	1.1.1.1	0xc16a	Standard query (0)	nrayothh.net	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.264703035 CEST	192.168.11.30	1.1.1.1	0x44ac	Standard query (0)	zncepwjkjm.info	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.400918007 CEST	192.168.11.30	1.1.1.1	0xab79	Standard query (0)	rieoxvzxc.org	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.583868027 CEST	192.168.11.30	1.1.1.1	0x136a	Standard query (0)	ystygahkl.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 15, 2024 15:38:39.970716953 CEST	1.1.1.1	192.168.11.30	0xfad0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:38:39.970716953 CEST	1.1.1.1	192.168.11.30	0xfad0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:38:40.543474913 CEST	1.1.1.1	192.168.11.30	0x785e	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:38:40.543474913 CEST	1.1.1.1	192.168.11.30	0x785e	No error (0)	pki-goog.l.google.com		142.250.217.195	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:38:58.691678047 CEST	1.1.1.1	192.168.11.30	0x46a9	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:00.056958914 CEST	1.1.1.1	192.168.11.30	0x9751	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:04.240602970 CEST	1.1.1.1	192.168.11.30	0x6ae7	No error (0)	whatismyipaddress.com		104.19.223.79	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:04.240602970 CEST	1.1.1.1	192.168.11.30	0x6ae7	No error (0)	whatismyipaddress.com		104.19.222.79	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:05.665496111 CEST	1.1.1.1	192.168.11.30	0xa060	No error (0)	www.showmyipaddress.com		172.67.155.175	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:05.665496111 CEST	1.1.1.1	192.168.11.30	0xa060	No error (0)	www.showmyipaddress.com		104.21.74.56	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:07.100681067 CEST	1.1.1.1	192.168.11.30	0xa7de	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:08.242410898 CEST	1.1.1.1	192.168.11.30	0xa248	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:12.021565914 CEST	1.1.1.1	192.168.11.30	0xd4fc	No error (0)	www.whatismyip.com		104.27.206.92	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:12.021565914 CEST	1.1.1.1	192.168.11.30	0xd4fc	No error (0)	www.whatismyip.com		104.27.207.92	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:13.458456993 CEST	1.1.1.1	192.168.11.30	0x9d4d	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:15.612498045 CEST	1.1.1.1	192.168.11.30	0x2a8c	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:20.065711021 CEST	1.1.1.1	192.168.11.30	0x2f1d	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:23.849709034 CEST	1.1.1.1	192.168.11.30	0x5280	No error (0)	www.myspace.com	myspace.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:39:23.849709034 CEST	1.1.1.1	192.168.11.30	0x5280	No error (0)	myspace.com		34.111.176.156	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:24.261054993 CEST	1.1.1.1	192.168.11.30	0x56f5	No error (0)	lwbjtptjlzji.net		35.164.78.200	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:24.451708078 CEST	1.1.1.1	192.168.11.30	0x742e	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:39:24.451708078 CEST	1.1.1.1	192.168.11.30	0x742e	No error (0)	star-mini.c10r.facebook.com		31.13.67.35	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.051882029 CEST	1.1.1.1	192.168.11.30	0x22c0	Name error (3)	deroocmofof.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.186273098 CEST	1.1.1.1	192.168.11.30	0x3e04	Name error (3)	fltebaltkwm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.385679960 CEST	1.1.1.1	192.168.11.30	0xd888	Name error (3)	eukvpt.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.550928116 CEST	1.1.1.1	192.168.11.30	0xc82	Name error (3)	cdrmqone.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:25.813426018 CEST	1.1.1.1	192.168.11.30	0xb02d	No error (0)	xhjwwgwd.info		85.214.228.140	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.535705090 CEST	1.1.1.1	192.168.11.30	0xcd37	Name error (3)	ggsukwasb.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.741101027 CEST	1.1.1.1	192.168.11.30	0xff6b	Name error (3)	spyutmxdvvrw.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:26.908265114 CEST	1.1.1.1	192.168.11.30	0xf704	Name error (3)	nwdyhujtzi.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.108666897 CEST	1.1.1.1	192.168.11.30	0x8c4f	Name error (3)	cecitmbetwe.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.280401945 CEST	1.1.1.1	192.168.11.30	0x4087	Name error (3)	fnvcomt.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.454562902 CEST	1.1.1.1	192.168.11.30	0xb2f0	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.466823101 CEST	1.1.1.1	192.168.11.30	0xabe7	Name error (3)	koqaswsiic.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.632443905 CEST	1.1.1.1	192.168.11.30	0x68c5	Name error (3)	ooqfgvnllbdj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.766661882 CEST	1.1.1.1	192.168.11.30	0x1129	Name error (3)	ywzcjat.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:27.901990891 CEST	1.1.1.1	192.168.11.30	0x47d1	Name error (3)	delnmynibhnu.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.068475008 CEST	1.1.1.1	192.168.11.30	0xf818	Name error (3)	cgzmkaoqtpr.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.237410069 CEST	1.1.1.1	192.168.11.30	0x70e9	Name error (3)	fakljq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.372087955 CEST	1.1.1.1	192.168.11.30	0xd960	Name error (3)	yxeqglor.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.540050983 CEST	1.1.1.1	192.168.11.30	0x5aa5	Name error (3)	ditidgffs.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.593305111 CEST	1.1.1.1	192.168.11.30	0x29af	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:28.872649908 CEST	1.1.1.1	192.168.11.30	0x819	No error (0)	wsmpvwxb.info		208.100.26.245	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.337193012 CEST	1.1.1.1	192.168.11.30	0x12d8	Name error (3)	iogzpqtkbml.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.470954895 CEST	1.1.1.1	192.168.11.30	0x97f1	Name error (3)	hdtuhunof.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.604614973 CEST	1.1.1.1	192.168.11.30	0x1cf1	Name error (3)	habozmd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.770373106 CEST	1.1.1.1	192.168.11.30	0xd122	Name error (3)	umwqai.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:29.902823925 CEST	1.1.1.1	192.168.11.30	0x2618	Name error (3)	sfhqxtpgdcp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:30.070483923 CEST	1.1.1.1	192.168.11.30	0xa45c	Name error (3)	lkykrcllfknb.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:30.206793070 CEST	1.1.1.1	192.168.11.30	0x2469	Name error (3)	akzktct.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:30.418538094 CEST	1.1.1.1	192.168.11.30	0x9a93	No error (0)	iewiai.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.610733032 CEST	1.1.1.1	192.168.11.30	0x83bd	Name error (3)	tqpudini.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.775558949 CEST	1.1.1.1	192.168.11.30	0x1052	Name error (3)	rusadzqvki.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:33.941978931 CEST	1.1.1.1	192.168.11.30	0x3ce8	Name error (3)	pqqobu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.126616955 CEST	1.1.1.1	192.168.11.30	0x3101	Name error (3)	jrqwzahcxma.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.260364056 CEST	1.1.1.1	192.168.11.30	0xaf82	Name error (3)	jexwxsd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.427784920 CEST	1.1.1.1	192.168.11.30	0xf97	Name error (3)	xofihfrimj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.564467907 CEST	1.1.1.1	192.168.11.30	0x2097	Name error (3)	qayaswom.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.702178955 CEST	1.1.1.1	192.168.11.30	0xb3fa	Name error (3)	jctcln.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:34.883207083 CEST	1.1.1.1	192.168.11.30	0x94e8	Name error (3)	iqiuqeui.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.016244888 CEST	1.1.1.1	192.168.11.30	0xdfa3	Name error (3)	mackgqecao.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.183159113 CEST	1.1.1.1	192.168.11.30	0xa126	Name error (3)	mgkssskeic.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.426217079 CEST	1.1.1.1	192.168.11.30	0xdd6f	Name error (3)	ldziatjs.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.625288010 CEST	1.1.1.1	192.168.11.30	0xa2d6	Name error (3)	dekudc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:35.790374994 CEST	1.1.1.1	192.168.11.30	0x3c6b	Name error (3)	cwbmhpaqjfw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.025738001 CEST	1.1.1.1	192.168.11.30	0xc5e1	Name error (3)	yiiemy.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.159022093 CEST	1.1.1.1	192.168.11.30	0x1e4c	Name error (3)	ccwsnub.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.292989016 CEST	1.1.1.1	192.168.11.30	0x5073	Name error (3)	sakmwmeuukis.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.462687969 CEST	1.1.1.1	192.168.11.30	0x9e2	Name error (3)	bnkqoxtw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.601824045 CEST	1.1.1.1	192.168.11.30	0xf3d6	Name error (3)	mscaguoqykue.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.734504938 CEST	1.1.1.1	192.168.11.30	0xd30f	Name error (3)	qodrrrzehko.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.868453979 CEST	1.1.1.1	192.168.11.30	0xd144	Name error (3)	oqiqgawygycg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:36.966979027 CEST	1.1.1.1	192.168.11.30	0x4dbc	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.079407930 CEST	1.1.1.1	192.168.11.30	0x29e4	Name error (3)	dyhkxxkggdd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.216861010 CEST	1.1.1.1	192.168.11.30	0x35c3	Name error (3)	quivwopczbfy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.350467920 CEST	1.1.1.1	192.168.11.30	0x6de0	Name error (3)	mmfljcduuiq.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.531624079 CEST	1.1.1.1	192.168.11.30	0x3ada	Name error (3)	nbbghscbn.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.722978115 CEST	1.1.1.1	192.168.11.30	0xffb0	Name error (3)	tkhcfkf.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.861534119 CEST	1.1.1.1	192.168.11.30	0x193f	Name error (3)	zfzerwlmxkg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:37.997571945 CEST	1.1.1.1	192.168.11.30	0x408c	Name error (3)	cukqaeyggw.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.106955051 CEST	1.1.1.1	192.168.11.30	0x9e10	No error (0)	www.whatismyip.com		104.27.207.92	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.106955051 CEST	1.1.1.1	192.168.11.30	0x9e10	No error (0)	www.whatismyip.com		104.27.206.92	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.129209042 CEST	1.1.1.1	192.168.11.30	0xaf9b	Name error (3)	swnmtyjsf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.265034914 CEST	1.1.1.1	192.168.11.30	0x9128	Name error (3)	bowmbsngr.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.447813034 CEST	1.1.1.1	192.168.11.30	0x4f46	Name error (3)	kyhbvm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.580187082 CEST	1.1.1.1	192.168.11.30	0x15fb	Name error (3)	wofeuyik.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.820915937 CEST	1.1.1.1	192.168.11.30	0x4fa6	Name error (3)	qedsben.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:38.989698887 CEST	1.1.1.1	192.168.11.30	0xb557	Name error (3)	uqgtbor.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.209005117 CEST	1.1.1.1	192.168.11.30	0x69be	Name error (3)	rqzbtyqilrby.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.344187021 CEST	1.1.1.1	192.168.11.30	0x5d63	Name error (3)	tmdlhcf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.483468056 CEST	1.1.1.1	192.168.11.30	0x5904	Name error (3)	llymgadj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.619304895 CEST	1.1.1.1	192.168.11.30	0x273b	Name error (3)	strpoehe.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.755795956 CEST	1.1.1.1	192.168.11.30	0xf88b	Name error (3)	qhxaqmz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:39.926956892 CEST	1.1.1.1	192.168.11.30	0x7054	Name error (3)	ptxmhgbxv.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.061706066 CEST	1.1.1.1	192.168.11.30	0x34ec	Name error (3)	bsnmkqvxz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.295646906 CEST	1.1.1.1	192.168.11.30	0xbb60	Name error (3)	ybgddyiuljpt.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.429178953 CEST	1.1.1.1	192.168.11.30	0x614c	Name error (3)	wooovgmc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.562865973 CEST	1.1.1.1	192.168.11.30	0x57de	Name error (3)	pmblwd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.750669003 CEST	1.1.1.1	192.168.11.30	0x3170	Name error (3)	owfvaiicb.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:40.956217051 CEST	1.1.1.1	192.168.11.30	0x5098	Name error (3)	rdnmtqyabal.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.120914936 CEST	1.1.1.1	192.168.11.30	0x61cc	Name error (3)	cnzthi.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.257857084 CEST	1.1.1.1	192.168.11.30	0x2dc	Name error (3)	ucrkhizrjle.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.394018888 CEST	1.1.1.1	192.168.11.30	0x122b	Name error (3)	lbrmhwh.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.592291117 CEST	1.1.1.1	192.168.11.30	0xa25d	Name error (3)	aipoxmkfh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.758399963 CEST	1.1.1.1	192.168.11.30	0x15ec	Name error (3)	pznkbhqy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:41.944401979 CEST	1.1.1.1	192.168.11.30	0x5dcf	Name error (3)	zytaxmwmimp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.155827045 CEST	1.1.1.1	192.168.11.30	0xd4e5	Name error (3)	nhblvtkhsosr.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.459836006 CEST	1.1.1.1	192.168.11.30	0x8b2a	Name error (3)	xuaibkgv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.596246004 CEST	1.1.1.1	192.168.11.30	0x13ba	Name error (3)	isagooiqeu.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.731889009 CEST	1.1.1.1	192.168.11.30	0x127c	Name error (3)	kapmdmvanjh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:42.864972115 CEST	1.1.1.1	192.168.11.30	0x40e0	Name error (3)	iavgymgybax.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.031594038 CEST	1.1.1.1	192.168.11.30	0xd8f8	Name error (3)	bgzsdevk.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.165231943 CEST	1.1.1.1	192.168.11.30	0x4d4e	Name error (3)	uweeaaosgi.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.300740957 CEST	1.1.1.1	192.168.11.30	0x4aee	Name error (3)	lsnsgqnhjek.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.436906099 CEST	1.1.1.1	192.168.11.30	0xbf34	Name error (3)	fkfstwvpdih.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.618046045 CEST	1.1.1.1	192.168.11.30	0xc28a	Name error (3)	igkawu.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.750108957 CEST	1.1.1.1	192.168.11.30	0x57e9	Name error (3)	oqecuy.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:43.884051085 CEST	1.1.1.1	192.168.11.30	0x83fb	Name error (3)	igpcvkvzb.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.051434994 CEST	1.1.1.1	192.168.11.30	0x48f4	Name error (3)	sopgmznouqlh.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.188566923 CEST	1.1.1.1	192.168.11.30	0x686	Name error (3)	rihbjuh.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.354953051 CEST	1.1.1.1	192.168.11.30	0x749a	Name error (3)	vafwzud.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.465910912 CEST	1.1.1.1	192.168.11.30	0x5d36	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.488811016 CEST	1.1.1.1	192.168.11.30	0x3d0e	Name error (3)	cyldvylo.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.657041073 CEST	1.1.1.1	192.168.11.30	0x7741	Name error (3)	jwlihfftrqf.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.791743994 CEST	1.1.1.1	192.168.11.30	0xc3aa	Name error (3)	eqarlsfwjfba.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:44.927017927 CEST	1.1.1.1	192.168.11.30	0x8242	Name error (3)	mbrwiditjn.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:45.156805038 CEST	1.1.1.1	192.168.11.30	0x4220	Name error (3)	cceywm.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:45.291872978 CEST	1.1.1.1	192.168.11.30	0x1853	No error (0)	zcdwpozkfvv.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.496766090 CEST	1.1.1.1	192.168.11.30	0xfcd0	Name error (3)	uuiwkq.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.636775970 CEST	1.1.1.1	192.168.11.30	0xad95	Name error (3)	gwcisuuo.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.804239035 CEST	1.1.1.1	192.168.11.30	0x5ebd	Name error (3)	amvrxrvzrwqn.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:48.970596075 CEST	1.1.1.1	192.168.11.30	0x9ffb	Name error (3)	wlsgkd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.104712009 CEST	1.1.1.1	192.168.11.30	0x8bed	Name error (3)	ulfcsvuc.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.238882065 CEST	1.1.1.1	192.168.11.30	0xa445	Name error (3)	hyloumvvua.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.373984098 CEST	1.1.1.1	192.168.11.30	0x7735	Name error (3)	yhonummhox.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.511455059 CEST	1.1.1.1	192.168.11.30	0x21a	Name error (3)	fexrcuretv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.692310095 CEST	1.1.1.1	192.168.11.30	0xa26e	Name error (3)	hzsnry.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.826980114 CEST	1.1.1.1	192.168.11.30	0xa44e	Name error (3)	ffofvkbozxfp.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:49.971786022 CEST	1.1.1.1	192.168.11.30	0x7468	Name error (3)	mfxrrezr.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:50.142409086 CEST	1.1.1.1	192.168.11.30	0x8a43	Name error (3)	ftpehwlaf.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:50.353863001 CEST	1.1.1.1	192.168.11.30	0x111f	No error (0)	muosqoie.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:50.898416042 CEST	1.1.1.1	192.168.11.30	0xd9d4	No error (0)	www.imdb.com	tp.391b988c0-frontier.imdb.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:39:50.898416042 CEST	1.1.1.1	192.168.11.30	0xd9d4	No error (0)	tp.391b988c0-frontier.imdb.com	d2bytcopxu066p.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:39:50.898416042 CEST	1.1.1.1	192.168.11.30	0xd9d4	No error (0)	d2bytcopxu066p.cloudfront.net		18.64.172.225	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.683918953 CEST	1.1.1.1	192.168.11.30	0xbdd3	Name error (3)	tawibizuloh.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.818645000 CEST	1.1.1.1	192.168.11.30	0xcdac	Name error (3)	uivmnckkpij.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.901978970 CEST	1.1.1.1	192.168.11.30	0xd902	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:53.951093912 CEST	1.1.1.1	192.168.11.30	0x3843	Name error (3)	icdthcm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.085144043 CEST	1.1.1.1	192.168.11.30	0xd6ff	Name error (3)	xffltdug.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.250549078 CEST	1.1.1.1	192.168.11.30	0x2d47	Name error (3)	pomobah.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.382061958 CEST	1.1.1.1	192.168.11.30	0x1a3c	Name error (3)	kwslgsua.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.549787998 CEST	1.1.1.1	192.168.11.30	0x1619	Name error (3)	neklmjvt.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.684068918 CEST	1.1.1.1	192.168.11.30	0x2388	Name error (3)	eyngxwxvv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:54.818108082 CEST	1.1.1.1	192.168.11.30	0x1305	Name error (3)	kiooigv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.044022083 CEST	1.1.1.1	192.168.11.30	0xc9b	Name error (3)	ngtlglf.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.210772991 CEST	1.1.1.1	192.168.11.30	0xc709	Name error (3)	bsvkxs.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.394150972 CEST	1.1.1.1	192.168.11.30	0x1fed	Name error (3)	xmvcfdcsymv.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.572534084 CEST	1.1.1.1	192.168.11.30	0x1384	Name error (3)	jqxkxrg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.739037037 CEST	1.1.1.1	192.168.11.30	0x9c87	Name error (3)	dwpqgivmpx.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:55.946197987 CEST	1.1.1.1	192.168.11.30	0x9dca	Name error (3)	blygpfuqsf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.079489946 CEST	1.1.1.1	192.168.11.30	0x1b95	Name error (3)	kscoccomsc.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.213932037 CEST	1.1.1.1	192.168.11.30	0x6e91	Name error (3)	onlmeofrwh.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.516108990 CEST	1.1.1.1	192.168.11.30	0xde12	Name error (3)	lzemrstoe.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.655040026 CEST	1.1.1.1	192.168.11.30	0x9d49	Name error (3)	buzxzusv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.787498951 CEST	1.1.1.1	192.168.11.30	0xfc06	Name error (3)	txflaunynf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:56.921091080 CEST	1.1.1.1	192.168.11.30	0x5c46	Name error (3)	dekwdrys.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.055784941 CEST	1.1.1.1	192.168.11.30	0x9c4e	Name error (3)	pfzvtdg.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.268176079 CEST	1.1.1.1	192.168.11.30	0x9e05	Name error (3)	gsdusg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.402077913 CEST	1.1.1.1	192.168.11.30	0xb423	Name error (3)	nmubfz.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.569474936 CEST	1.1.1.1	192.168.11.30	0x1144	Name error (3)	gurklthyhkv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.688996077 CEST	1.1.1.1	192.168.11.30	0x4d39	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.775567055 CEST	1.1.1.1	192.168.11.30	0x8cb0	Name error (3)	zuxymd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:57.909548044 CEST	1.1.1.1	192.168.11.30	0xad88	Name error (3)	ygqeguwiogqi.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.109240055 CEST	1.1.1.1	192.168.11.30	0x7ffb	Name error (3)	kqpsemrav.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.277627945 CEST	1.1.1.1	192.168.11.30	0x2221	Name error (3)	aqwogctkcig.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.463618040 CEST	1.1.1.1	192.168.11.30	0x4b61	Name error (3)	lhlsksy.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.643517017 CEST	1.1.1.1	192.168.11.30	0x85e9	Name error (3)	mimmqwaykqia.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.776818037 CEST	1.1.1.1	192.168.11.30	0xec04	Name error (3)	scpzbmxklu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.839396954 CEST	1.1.1.1	192.168.11.30	0xf3d7	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:58.912314892 CEST	1.1.1.1	192.168.11.30	0xe826	Name error (3)	emrmaigh.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.049501896 CEST	1.1.1.1	192.168.11.30	0x1b26	Name error (3)	mhposkbsmfgm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.256421089 CEST	1.1.1.1	192.168.11.30	0x66	Name error (3)	msrrjwyrm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.560400963 CEST	1.1.1.1	192.168.11.30	0x6d6e	Name error (3)	evftriicx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.728615999 CEST	1.1.1.1	192.168.11.30	0x7eda	Name error (3)	yqwmiy.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:39:59.864736080 CEST	1.1.1.1	192.168.11.30	0x8d42	Name error (3)	kgsysa.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.000610113 CEST	1.1.1.1	192.168.11.30	0x6ecb	Name error (3)	rreezoiqbg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.182277918 CEST	1.1.1.1	192.168.11.30	0xe221	Name error (3)	wkzfaedg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.319427967 CEST	1.1.1.1	192.168.11.30	0x49cf	Name error (3)	dkxmvos.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.517605066 CEST	1.1.1.1	192.168.11.30	0xc715	Name error (3)	tqfbxlwpvsip.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.656982899 CEST	1.1.1.1	192.168.11.30	0x6966	Name error (3)	koindl.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:00.824635029 CEST	1.1.1.1	192.168.11.30	0xa2f8	Name error (3)	yumqcygsqk.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.006561995 CEST	1.1.1.1	192.168.11.30	0xa6cf	Name error (3)	vopsaqf.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.244771957 CEST	1.1.1.1	192.168.11.30	0x2833	Name error (3)	cobmtgsmfpx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.482095003 CEST	1.1.1.1	192.168.11.30	0x335f	Name error (3)	qemkas.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.622596979 CEST	1.1.1.1	192.168.11.30	0x7db7	Name error (3)	bqtaiujbh.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.756441116 CEST	1.1.1.1	192.168.11.30	0xb388	Name error (3)	swswoussmc.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:01.896802902 CEST	1.1.1.1	192.168.11.30	0x80c	Name error (3)	lkqdmkckr.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.065056086 CEST	1.1.1.1	192.168.11.30	0xb415	Name error (3)	pmbixadyny.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.198246002 CEST	1.1.1.1	192.168.11.30	0x4c7f	Name error (3)	mmvcfomuzgr.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.343781948 CEST	1.1.1.1	192.168.11.30	0x209f	Name error (3)	dcbeeq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.479547024 CEST	1.1.1.1	192.168.11.30	0xce2e	Name error (3)	zjkdtmzuul.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.787012100 CEST	1.1.1.1	192.168.11.30	0x3d4b	Name error (3)	sizbtf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:02.984458923 CEST	1.1.1.1	192.168.11.30	0xb948	Name error (3)	ksqlfmrx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.154942989 CEST	1.1.1.1	192.168.11.30	0x4576	Name error (3)	hlrqvyg.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.390311003 CEST	1.1.1.1	192.168.11.30	0xd0fd	Name error (3)	zohogepxhih.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.687446117 CEST	1.1.1.1	192.168.11.30	0x689c	Name error (3)	trpwlxg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:03.983000994 CEST	1.1.1.1	192.168.11.30	0x71d6	Name error (3)	qbhdsh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.228943110 CEST	1.1.1.1	192.168.11.30	0xa731	Name error (3)	wxxacjxlvl.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.364389896 CEST	1.1.1.1	192.168.11.30	0xe0f8	Name error (3)	cxdmdldfv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.497577906 CEST	1.1.1.1	192.168.11.30	0x2ea	Name error (3)	kiuwsu.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.632868052 CEST	1.1.1.1	192.168.11.30	0x4806	Name error (3)	gtpyhzzsrd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.635875940 CEST	1.1.1.1	192.168.11.30	0x3422	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:04.888986111 CEST	1.1.1.1	192.168.11.30	0x2708	Name error (3)	hcjufqt.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.135054111 CEST	1.1.1.1	192.168.11.30	0x37ad	Name error (3)	pnraibr.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.302438021 CEST	1.1.1.1	192.168.11.30	0xee01	Name error (3)	wljitkmmrsq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.439363956 CEST	1.1.1.1	192.168.11.30	0xaba6	Name error (3)	qrkcmaiuj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.691577911 CEST	1.1.1.1	192.168.11.30	0xe3b6	Name error (3)	uscpqm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:05.891922951 CEST	1.1.1.1	192.168.11.30	0x4523	Name error (3)	ihpimdxy.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.058862925 CEST	1.1.1.1	192.168.11.30	0x7b4e	Name error (3)	vwddzjzgjozz.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.267184019 CEST	1.1.1.1	192.168.11.30	0xeec9	Name error (3)	yydylwx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.433285952 CEST	1.1.1.1	192.168.11.30	0xbbbd	Name error (3)	vumilurpoatl.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.568025112 CEST	1.1.1.1	192.168.11.30	0x66be	Name error (3)	urtmvkx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.702210903 CEST	1.1.1.1	192.168.11.30	0xfee4	Name error (3)	vacovcj.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.839036942 CEST	1.1.1.1	192.168.11.30	0x3b6e	Name error (3)	kuceigmowq.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:06.972913027 CEST	1.1.1.1	192.168.11.30	0x1627	Name error (3)	eabmqsykas.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.108933926 CEST	1.1.1.1	192.168.11.30	0x818c	Name error (3)	sanyfyesvat.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.428953886 CEST	1.1.1.1	192.168.11.30	0x952e	Name error (3)	yjhofwlx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.597311974 CEST	1.1.1.1	192.168.11.30	0xa28e	Name error (3)	dzxsldit.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.764908075 CEST	1.1.1.1	192.168.11.30	0xa3e0	Name error (3)	pxmwgq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:07.901819944 CEST	1.1.1.1	192.168.11.30	0x5bc7	Name error (3)	xjzmxageg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.204827070 CEST	1.1.1.1	192.168.11.30	0x66e0	Name error (3)	jovzeem.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.386322975 CEST	1.1.1.1	192.168.11.30	0xac7d	Name error (3)	xkntthpajft.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.522423983 CEST	1.1.1.1	192.168.11.30	0xc445	Name error (3)	fiyhxjvgsqb.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.657418966 CEST	1.1.1.1	192.168.11.30	0xbe29	Name error (3)	teyrdsuc.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.794617891 CEST	1.1.1.1	192.168.11.30	0xfb93	Name error (3)	xqhrxqoh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:08.962594986 CEST	1.1.1.1	192.168.11.30	0x853e	Name error (3)	huocyhaakf.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.180537939 CEST	1.1.1.1	192.168.11.30	0x3e16	Name error (3)	hagojezpc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.363418102 CEST	1.1.1.1	192.168.11.30	0xb3e0	Name error (3)	ksqeyvwh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.399044037 CEST	1.1.1.1	192.168.11.30	0x344a	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.570826054 CEST	1.1.1.1	192.168.11.30	0xb2c8	Name error (3)	rsgzts.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.706393003 CEST	1.1.1.1	192.168.11.30	0x8cc9	Name error (3)	agvocmd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.842884064 CEST	1.1.1.1	192.168.11.30	0x6b12	Name error (3)	wuzupehil.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:09.976252079 CEST	1.1.1.1	192.168.11.30	0x13fe	Name error (3)	emxwaolfpmi.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.146811962 CEST	1.1.1.1	192.168.11.30	0xb407	Name error (3)	wccbxqqoyoy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.448308945 CEST	1.1.1.1	192.168.11.30	0x42d9	Name error (3)	tbyoyvhnfv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.615220070 CEST	1.1.1.1	192.168.11.30	0x8801	Name error (3)	ffxhdkyy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.784259081 CEST	1.1.1.1	192.168.11.30	0x5bc1	Name error (3)	bkeybclmy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:10.952404022 CEST	1.1.1.1	192.168.11.30	0x6fdd	Name error (3)	wtflhxja.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.098048925 CEST	1.1.1.1	192.168.11.30	0xd0b1	Name error (3)	bflthq.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.231776953 CEST	1.1.1.1	192.168.11.30	0x3258	Name error (3)	voqtbrbz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.548305035 CEST	1.1.1.1	192.168.11.30	0xa037	Name error (3)	rjmynwz.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.791655064 CEST	1.1.1.1	192.168.11.30	0xcd98	Name error (3)	fmpsoxtsv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:11.992259979 CEST	1.1.1.1	192.168.11.30	0x8d3a	Name error (3)	vafyutroz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.245412111 CEST	1.1.1.1	192.168.11.30	0xe344	Name error (3)	nzmtkansch.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.556767941 CEST	1.1.1.1	192.168.11.30	0x3634	Name error (3)	aulokytqd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.731004000 CEST	1.1.1.1	192.168.11.30	0xb21	Name error (3)	igousuia.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:12.866061926 CEST	1.1.1.1	192.168.11.30	0x98c4	Name error (3)	gmwsmkuo.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.032397985 CEST	1.1.1.1	192.168.11.30	0xbc31	Name error (3)	ahpirreonw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.206866026 CEST	1.1.1.1	192.168.11.30	0xe3e0	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.206897974 CEST	1.1.1.1	192.168.11.30	0xa427	Name error (3)	vmasuhbokayf.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.342005014 CEST	1.1.1.1	192.168.11.30	0x93f	Name error (3)	horzaw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.475677967 CEST	1.1.1.1	192.168.11.30	0xa1e6	Name error (3)	rboarkztdep.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.727724075 CEST	1.1.1.1	192.168.11.30	0x6210	Name error (3)	nocrzsq.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:13.895775080 CEST	1.1.1.1	192.168.11.30	0xa112	Name error (3)	vgybvjppdvve.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:14.031182051 CEST	1.1.1.1	192.168.11.30	0x8bcb	Name error (3)	ohtkxxg.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:14.281040907 CEST	1.1.1.1	192.168.11.30	0x9e38	Name error (3)	xroqdulwju.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:14.493504047 CEST	1.1.1.1	192.168.11.30	0x3101	No error (0)	jmvozxx.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:17.831378937 CEST	1.1.1.1	192.168.11.30	0xb73	Name error (3)	fgryrzlwv.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:17.969021082 CEST	1.1.1.1	192.168.11.30	0xea93	Name error (3)	dilmlovovkn.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.107050896 CEST	1.1.1.1	192.168.11.30	0xd13d	Name error (3)	cqockgwssaik.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.276989937 CEST	1.1.1.1	192.168.11.30	0x65a1	Name error (3)	upvncjsnxw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.410273075 CEST	1.1.1.1	192.168.11.30	0x7c20	Name error (3)	tyruco.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.546475887 CEST	1.1.1.1	192.168.11.30	0x485f	Name error (3)	hiuqnlsktyn.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.780595064 CEST	1.1.1.1	192.168.11.30	0x13a8	Name error (3)	agakymgcigsw.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:18.917895079 CEST	1.1.1.1	192.168.11.30	0x2873	Name error (3)	nercgrv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:19.050992966 CEST	1.1.1.1	192.168.11.30	0x4b65	No error (0)	wcasugikao.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.225517988 CEST	1.1.1.1	192.168.11.30	0x25e0	Name error (3)	oasiou.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.423574924 CEST	1.1.1.1	192.168.11.30	0x85cb	Name error (3)	qstyvuo.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.642524004 CEST	1.1.1.1	192.168.11.30	0xfa3	Name error (3)	cufjtiyoj.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:22.907320023 CEST	1.1.1.1	192.168.11.30	0x2cdf	Name error (3)	revndeg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.040931940 CEST	1.1.1.1	192.168.11.30	0xb175	Name error (3)	sxwhjlvgpu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.208344936 CEST	1.1.1.1	192.168.11.30	0x80fa	Name error (3)	magkesswuu.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.344176054 CEST	1.1.1.1	192.168.11.30	0xe212	Name error (3)	lwsned.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.529771090 CEST	1.1.1.1	192.168.11.30	0x1350	Name error (3)	tdfenz.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.592607021 CEST	1.1.1.1	192.168.11.30	0x67ce	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.699387074 CEST	1.1.1.1	192.168.11.30	0xcb8b	Name error (3)	jbvspwqifcl.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:23.997534990 CEST	1.1.1.1	192.168.11.30	0x4098	Name error (3)	cewoiimcwmow.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.133137941 CEST	1.1.1.1	192.168.11.30	0x1852	Name error (3)	wrdtfuwqu.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.268093109 CEST	1.1.1.1	192.168.11.30	0x65b6	Name error (3)	mwgyka.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.404104948 CEST	1.1.1.1	192.168.11.30	0xe866	Name error (3)	ciqcimgqce.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.539346933 CEST	1.1.1.1	192.168.11.30	0x7ac5	Name error (3)	pcvsdovpp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.674990892 CEST	1.1.1.1	192.168.11.30	0x38f3	Name error (3)	lpysix.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.857009888 CEST	1.1.1.1	192.168.11.30	0x92de	Name error (3)	ogeltrlncszo.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:24.992207050 CEST	1.1.1.1	192.168.11.30	0x9fe7	Name error (3)	nxctobwc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:25.200723886 CEST	1.1.1.1	192.168.11.30	0xf6a	Name error (3)	pnmplsbbix.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:25.694097996 CEST	1.1.1.1	192.168.11.30	0xac92	No error (0)	awoumowqyw.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:28.864736080 CEST	1.1.1.1	192.168.11.30	0xf9a0	Name error (3)	dkuujwkup.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.000902891 CEST	1.1.1.1	192.168.11.30	0x949a	Name error (3)	zfrhqybxtdeg.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.170281887 CEST	1.1.1.1	192.168.11.30	0x595e	Name error (3)	egvabsriwel.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.309149981 CEST	1.1.1.1	192.168.11.30	0xf5eb	Name error (3)	wgiusyackwya.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.445425987 CEST	1.1.1.1	192.168.11.30	0x1ace	Name error (3)	uugiiqomoa.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.580864906 CEST	1.1.1.1	192.168.11.30	0xb80f	Name error (3)	zszagqbuxtu.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.659954071 CEST	1.1.1.1	192.168.11.30	0x9f67	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.749084949 CEST	1.1.1.1	192.168.11.30	0x7feb	Name error (3)	dskcygp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:29.884202003 CEST	1.1.1.1	192.168.11.30	0xbb4a	Name error (3)	hevkrkpespf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.052155972 CEST	1.1.1.1	192.168.11.30	0xb97a	Name error (3)	bmpdmba.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.220949888 CEST	1.1.1.1	192.168.11.30	0x147e	Name error (3)	xssrxcm.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.421612024 CEST	1.1.1.1	192.168.11.30	0xcc5e	Name error (3)	fygwaqxgysw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.561008930 CEST	1.1.1.1	192.168.11.30	0xb9e9	Name error (3)	mcuklboyykac.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.694941998 CEST	1.1.1.1	192.168.11.30	0xbf44	Name error (3)	bqwstab.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:30.936291933 CEST	1.1.1.1	192.168.11.30	0xfb01	Name error (3)	wqwmek.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.068809032 CEST	1.1.1.1	192.168.11.30	0xc935	Name error (3)	agfqpjgnocco.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.203437090 CEST	1.1.1.1	192.168.11.30	0xbfa4	Name error (3)	jefodozzl.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.338823080 CEST	1.1.1.1	192.168.11.30	0x93b7	Name error (3)	gsukcsgacuic.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.474129915 CEST	1.1.1.1	192.168.11.30	0x5666	Name error (3)	yzbiymneerj.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.770035028 CEST	1.1.1.1	192.168.11.30	0x1424	Name error (3)	nsnqdit.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:31.940285921 CEST	1.1.1.1	192.168.11.30	0x3207	Name error (3)	kvywsfyj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:32.077666998 CEST	1.1.1.1	192.168.11.30	0x5b7e	Name error (3)	zaplzz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:32.417399883 CEST	1.1.1.1	192.168.11.30	0x7a92	No error (0)	dwtopsisx.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:35.712908983 CEST	1.1.1.1	192.168.11.30	0xb18c	Name error (3)	iilirx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:35.882102013 CEST	1.1.1.1	192.168.11.30	0x9ef3	Name error (3)	zmzaasi.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.016165972 CEST	1.1.1.1	192.168.11.30	0xed2	Name error (3)	rozslge.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.184149027 CEST	1.1.1.1	192.168.11.30	0x8c25	Name error (3)	kgswyswsms.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.320317030 CEST	1.1.1.1	192.168.11.30	0x481b	Name error (3)	oasmcuggak.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.455329895 CEST	1.1.1.1	192.168.11.30	0x5470	Name error (3)	ravbrdlcxepx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.675358057 CEST	1.1.1.1	192.168.11.30	0x996c	Name error (3)	mgjyyduwwax.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:36.810920000 CEST	1.1.1.1	192.168.11.30	0x9104	Name error (3)	fduvhdv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.026983976 CEST	1.1.1.1	192.168.11.30	0x3db3	Name error (3)	cywqlsx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.049221039 CEST	1.1.1.1	192.168.11.30	0x4be0	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.194293976 CEST	1.1.1.1	192.168.11.30	0xb159	Name error (3)	egwkmsqm.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.404366970 CEST	1.1.1.1	192.168.11.30	0xfcc1	Name error (3)	osxpaprezyg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.545795918 CEST	1.1.1.1	192.168.11.30	0xbfa1	Name error (3)	ovmlyfsbvepf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.681818962 CEST	1.1.1.1	192.168.11.30	0xe8fc	Name error (3)	xvhkkg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:37.895689964 CEST	1.1.1.1	192.168.11.30	0x3d81	Name error (3)	lozupqunl.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.031255007 CEST	1.1.1.1	192.168.11.30	0x2919	Name error (3)	rafoaiduv.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.168739080 CEST	1.1.1.1	192.168.11.30	0x2034	Name error (3)	xixshgqsnxdm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.306154966 CEST	1.1.1.1	192.168.11.30	0x4927	Name error (3)	pspexyjytqa.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.473686934 CEST	1.1.1.1	192.168.11.30	0x87c5	Name error (3)	ktljlgcrkwv.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.611176968 CEST	1.1.1.1	192.168.11.30	0x8ab6	Name error (3)	flmbvdibho.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.820714951 CEST	1.1.1.1	192.168.11.30	0x73b8	Name error (3)	nwtltucdgxci.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:38.956223965 CEST	1.1.1.1	192.168.11.30	0x739	No error (0)	gemckmkqmeim.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.130565882 CEST	1.1.1.1	192.168.11.30	0xbfe3	Name error (3)	qycosiiiykcy.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.267520905 CEST	1.1.1.1	192.168.11.30	0x62cd	Name error (3)	zpryru.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.405050039 CEST	1.1.1.1	192.168.11.30	0xede6	Name error (3)	lwlihog.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.656404972 CEST	1.1.1.1	192.168.11.30	0x529b	Name error (3)	wuhkrrpew.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.831593037 CEST	1.1.1.1	192.168.11.30	0xb5c0	Name error (3)	bonydwj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.936119080 CEST	1.1.1.1	192.168.11.30	0x7368	No error (0)	www.bbc.co.uk	www.bbc.co.uk.pri.bbc.co.uk		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:40:42.936119080 CEST	1.1.1.1	192.168.11.30	0x7368	No error (0)	www.bbc.co.uk.pri.bbc.co.uk	bbc.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 15, 2024 15:40:42.936119080 CEST	1.1.1.1	192.168.11.30	0x7368	No error (0)	bbc.map.fastly.net		151.101.128.81	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.936119080 CEST	1.1.1.1	192.168.11.30	0x7368	No error (0)	bbc.map.fastly.net		151.101.64.81	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.936119080 CEST	1.1.1.1	192.168.11.30	0x7368	No error (0)	bbc.map.fastly.net		151.101.192.81	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.936119080 CEST	1.1.1.1	192.168.11.30	0x7368	No error (0)	bbc.map.fastly.net		151.101.0.81	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:42.968178988 CEST	1.1.1.1	192.168.11.30	0xc1e0	Name error (3)	gifjwknnsa.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.231833935 CEST	1.1.1.1	192.168.11.30	0xb508	Name error (3)	uagoeg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.399180889 CEST	1.1.1.1	192.168.11.30	0x1068	Name error (3)	hosplypcd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.567142010 CEST	1.1.1.1	192.168.11.30	0x1933	Name error (3)	kepiqy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.701117992 CEST	1.1.1.1	192.168.11.30	0xc498	Name error (3)	skpxwstkygr.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:43.922002077 CEST	1.1.1.1	192.168.11.30	0xaa31	Name error (3)	jcyusd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.089970112 CEST	1.1.1.1	192.168.11.30	0x8a09	Name error (3)	ekojonrx.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.301032066 CEST	1.1.1.1	192.168.11.30	0x91a7	Name error (3)	bgiqmzak.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.435883045 CEST	1.1.1.1	192.168.11.30	0x5b62	Name error (3)	pqdwhoyqfyr.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.644104004 CEST	1.1.1.1	192.168.11.30	0xc8e	Name error (3)	qledvhmwtgj.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.737411976 CEST	1.1.1.1	192.168.11.30	0x2caf	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.781250954 CEST	1.1.1.1	192.168.11.30	0xf11e	Name error (3)	cvpprc.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:44.918150902 CEST	1.1.1.1	192.168.11.30	0xc50	Name error (3)	zwphhjux.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.055444956 CEST	1.1.1.1	192.168.11.30	0x54b4	Name error (3)	mepqfzed.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.191740990 CEST	1.1.1.1	192.168.11.30	0x63d2	Name error (3)	khhwhgysu.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.325480938 CEST	1.1.1.1	192.168.11.30	0xbd3d	Name error (3)	tjzaiyhoayd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.535262108 CEST	1.1.1.1	192.168.11.30	0xa527	Name error (3)	wcikfayz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.704972982 CEST	1.1.1.1	192.168.11.30	0xb7a0	Name error (3)	ftyayhvid.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.922581911 CEST	1.1.1.1	192.168.11.30	0x9bcb	No error (0)	htcdxnm.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:45.996750116 CEST	1.1.1.1	192.168.11.30	0xd187	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.079109907 CEST	1.1.1.1	192.168.11.30	0x78b0	Name error (3)	eumiqrniuuj.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.247307062 CEST	1.1.1.1	192.168.11.30	0x968e	Name error (3)	ukamqol.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.414371967 CEST	1.1.1.1	192.168.11.30	0x201e	Name error (3)	kyszrzmuawj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.600483894 CEST	1.1.1.1	192.168.11.30	0x4f65	Name error (3)	gvsvxirhjhmc.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.734067917 CEST	1.1.1.1	192.168.11.30	0x71e3	Name error (3)	zavcnar.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:49.945694923 CEST	1.1.1.1	192.168.11.30	0x4c7d	Name error (3)	fdnkvsylwiz.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.114571095 CEST	1.1.1.1	192.168.11.30	0xcbbb	Name error (3)	otmccjnozm.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.247878075 CEST	1.1.1.1	192.168.11.30	0x5689	Name error (3)	umcaqskg.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.415230989 CEST	1.1.1.1	192.168.11.30	0xbb57	Name error (3)	ttnbfk.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.582907915 CEST	1.1.1.1	192.168.11.30	0xd50b	Name error (3)	ryxedahgvtlu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:50.717269897 CEST	1.1.1.1	192.168.11.30	0x9085	Name error (3)	bnuclyrxygnf.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:51.017802954 CEST	1.1.1.1	192.168.11.30	0x6613	Name error (3)	coxovsu.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:51.844352007 CEST	1.1.1.1	192.168.11.30	0x33f2	Name error (3)	ryxqnubutjv.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:51.979098082 CEST	1.1.1.1	192.168.11.30	0x78a1	Name error (3)	zyzubzht.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.145538092 CEST	1.1.1.1	192.168.11.30	0x9c0	Name error (3)	qqbnhgbsqxd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.354728937 CEST	1.1.1.1	192.168.11.30	0x16cb	Name error (3)	fxzpqzqd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.523325920 CEST	1.1.1.1	192.168.11.30	0x107d	Name error (3)	pzavkbwk.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.529164076 CEST	1.1.1.1	192.168.11.30	0x8680	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.656572104 CEST	1.1.1.1	192.168.11.30	0xc3be	Name error (3)	tlbiku.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.792020082 CEST	1.1.1.1	192.168.11.30	0x532c	Name error (3)	vupjfqd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:52.927196026 CEST	1.1.1.1	192.168.11.30	0xb8fd	Name error (3)	cmixxszxrf.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.095614910 CEST	1.1.1.1	192.168.11.30	0x8d0a	Name error (3)	hintqdku.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.387314081 CEST	1.1.1.1	192.168.11.30	0xe005	Name error (3)	bwvdpivgkbq.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.520831108 CEST	1.1.1.1	192.168.11.30	0x5262	Name error (3)	ybwgqhqrij.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:53.747910976 CEST	1.1.1.1	192.168.11.30	0x30fc	Name error (3)	teewxe.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.041420937 CEST	1.1.1.1	192.168.11.30	0x557f	Name error (3)	aubohelcvlm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.278383017 CEST	1.1.1.1	192.168.11.30	0x255d	Name error (3)	rnrbzaiv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.586980104 CEST	1.1.1.1	192.168.11.30	0x5c08	Name error (3)	uwpdwvsp.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.719954014 CEST	1.1.1.1	192.168.11.30	0xc1d0	Name error (3)	trmpbuwu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.854980946 CEST	1.1.1.1	192.168.11.30	0x2532	Name error (3)	mkouldrk.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:54.965719938 CEST	1.1.1.1	192.168.11.30	0xe4df	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.021820068 CEST	1.1.1.1	192.168.11.30	0x5b63	Name error (3)	dadqeqrbmhkp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.232455969 CEST	1.1.1.1	192.168.11.30	0x5426	Name error (3)	pguuxfdjxm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.533637047 CEST	1.1.1.1	192.168.11.30	0x857b	Name error (3)	voisfho.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.717464924 CEST	1.1.1.1	192.168.11.30	0x73cf	Name error (3)	aamsoqwekwec.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.853084087 CEST	1.1.1.1	192.168.11.30	0xdce8	Name error (3)	jcasyzwnyb.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:55.987535954 CEST	1.1.1.1	192.168.11.30	0x1e3d	Name error (3)	kzzieqwxrfgm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.122447968 CEST	1.1.1.1	192.168.11.30	0x840f	Name error (3)	hoacxkhcaot.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.288511992 CEST	1.1.1.1	192.168.11.30	0xa7f6	Name error (3)	bqyuiihdvkwp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.454893112 CEST	1.1.1.1	192.168.11.30	0x47d8	Name error (3)	ykvsdehnbic.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.688235044 CEST	1.1.1.1	192.168.11.30	0x36cc	Name error (3)	mdabnbhqftj.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:56.822460890 CEST	1.1.1.1	192.168.11.30	0xdb5	Name error (3)	gqiugkyksc.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.008601904 CEST	1.1.1.1	192.168.11.30	0x3be3	Name error (3)	bgkwjol.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.173768044 CEST	1.1.1.1	192.168.11.30	0x6346	Name error (3)	ucrxnssd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.385817051 CEST	1.1.1.1	192.168.11.30	0x9795	Name error (3)	faasdt.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.522588968 CEST	1.1.1.1	192.168.11.30	0x2130	Name error (3)	ozsqpqy.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.657691956 CEST	1.1.1.1	192.168.11.30	0x2897	Name error (3)	niyutxia.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:57.825530052 CEST	1.1.1.1	192.168.11.30	0x5d61	Name error (3)	tqpofcjab.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.036119938 CEST	1.1.1.1	192.168.11.30	0x7ab5	Name error (3)	terdonh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.353249073 CEST	1.1.1.1	192.168.11.30	0x2494	Name error (3)	vsmntqmv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.489398956 CEST	1.1.1.1	192.168.11.30	0x1197	Name error (3)	vjjuxotcr.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.704735041 CEST	1.1.1.1	192.168.11.30	0x1e37	Name error (3)	pycyjn.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:58.872731924 CEST	1.1.1.1	192.168.11.30	0x2a9b	Name error (3)	zryswp.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.006763935 CEST	1.1.1.1	192.168.11.30	0xc159	Name error (3)	iffkftv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.143372059 CEST	1.1.1.1	192.168.11.30	0x3d85	Name error (3)	puvxcbhx.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.377525091 CEST	1.1.1.1	192.168.11.30	0x54ab	Name error (3)	vwuhtwjkiukd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.426335096 CEST	1.1.1.1	192.168.11.30	0xb150	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.511931896 CEST	1.1.1.1	192.168.11.30	0x6db8	Name error (3)	rqlmrcbc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.647332907 CEST	1.1.1.1	192.168.11.30	0x8393	Name error (3)	ayocmawe.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:40:59.948757887 CEST	1.1.1.1	192.168.11.30	0x576e	Name error (3)	akyndev.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.080667973 CEST	1.1.1.1	192.168.11.30	0x1df	Name error (3)	jnqmtia.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.247585058 CEST	1.1.1.1	192.168.11.30	0x4703	Name error (3)	pqjmoi.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.415306091 CEST	1.1.1.1	192.168.11.30	0x88ec	Name error (3)	hcgosj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.549045086 CEST	1.1.1.1	192.168.11.30	0xdc7f	Name error (3)	ocowiwigou.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.573348999 CEST	1.1.1.1	192.168.11.30	0x757c	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.686049938 CEST	1.1.1.1	192.168.11.30	0x985	Name error (3)	yjtugxbx.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.820766926 CEST	1.1.1.1	192.168.11.30	0xc5ce	Name error (3)	gbekjlws.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:00.954222918 CEST	1.1.1.1	192.168.11.30	0xa72e	Name error (3)	nkrqzg.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.151454926 CEST	1.1.1.1	192.168.11.30	0x98be	Name error (3)	uzpknqpehid.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.287635088 CEST	1.1.1.1	192.168.11.30	0x4098	Name error (3)	sgdyfbvwe.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.453718901 CEST	1.1.1.1	192.168.11.30	0x83a1	Name error (3)	iaimiwaw.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.590816975 CEST	1.1.1.1	192.168.11.30	0xc1b6	Name error (3)	rcxvkunydmr.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:01.888709068 CEST	1.1.1.1	192.168.11.30	0xd318	Name error (3)	meyuyaewaogs.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:02.024576902 CEST	1.1.1.1	192.168.11.30	0x1971	Name error (3)	ksmggayg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:02.234149933 CEST	1.1.1.1	192.168.11.30	0x40fa	No error (0)	xkesrsk.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.041791916 CEST	1.1.1.1	192.168.11.30	0xdd5a	Name error (3)	whatismyip.everdot.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.433868885 CEST	1.1.1.1	192.168.11.30	0xe4ee	Name error (3)	htdnxe.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.606949091 CEST	1.1.1.1	192.168.11.30	0xa62e	Name error (3)	djlijkrol.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.740880966 CEST	1.1.1.1	192.168.11.30	0x3b1e	Name error (3)	hfmmrpaa.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:05.907262087 CEST	1.1.1.1	192.168.11.30	0xfa30	Name error (3)	rqrglipkoyb.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.074598074 CEST	1.1.1.1	192.168.11.30	0x483	Name error (3)	eobhpynq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.182168007 CEST	1.1.1.1	192.168.11.30	0xf13c	Name error (3)	www.whatismyip.ca	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.276040077 CEST	1.1.1.1	192.168.11.30	0xab85	Name error (3)	tchyfuocxrc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.504889011 CEST	1.1.1.1	192.168.11.30	0x9c33	Name error (3)	gshaoi.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.674196959 CEST	1.1.1.1	192.168.11.30	0xb2c4	Name error (3)	giglhwhuby.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.809618950 CEST	1.1.1.1	192.168.11.30	0x40fe	Name error (3)	hamsvogno.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:06.944685936 CEST	1.1.1.1	192.168.11.30	0x52c9	Name error (3)	ntcgvuryjee.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.080096006 CEST	1.1.1.1	192.168.11.30	0x45e3	Name error (3)	qkwcuasm.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.289221048 CEST	1.1.1.1	192.168.11.30	0x31b2	Name error (3)	dsklbkmbbx.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.454277039 CEST	1.1.1.1	192.168.11.30	0xcc2c	Name error (3)	qmwoewqkaamo.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.594712973 CEST	1.1.1.1	192.168.11.30	0xe360	Name error (3)	musmgsaw.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.801260948 CEST	1.1.1.1	192.168.11.30	0x86a7	Name error (3)	jcfzmn.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:07.968422890 CEST	1.1.1.1	192.168.11.30	0x5f5	Name error (3)	suzetmnq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.102128029 CEST	1.1.1.1	192.168.11.30	0x3650	Name error (3)	nllqlqfxanom.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.407915115 CEST	1.1.1.1	192.168.11.30	0x661b	Name error (3)	jubkwv.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.542010069 CEST	1.1.1.1	192.168.11.30	0xbb92	Name error (3)	saxwjjjeb.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.784792900 CEST	1.1.1.1	192.168.11.30	0x3f88	Name error (3)	keyuqaco.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:08.951042891 CEST	1.1.1.1	192.168.11.30	0x11ed	Name error (3)	hzxvah.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.118925095 CEST	1.1.1.1	192.168.11.30	0xe9d7	Name error (3)	qaciphd.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.419800997 CEST	1.1.1.1	192.168.11.30	0xbd4e	Name error (3)	vgpckslqq.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.598784924 CEST	1.1.1.1	192.168.11.30	0xe271	Name error (3)	qqikyaggkswy.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:09.812100887 CEST	1.1.1.1	192.168.11.30	0xac18	No error (0)	kwecii.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.036602974 CEST	1.1.1.1	192.168.11.30	0x754b	Name error (3)	smtcrrm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.222948074 CEST	1.1.1.1	192.168.11.30	0xb785	Name error (3)	rfqpbojltq.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.357429981 CEST	1.1.1.1	192.168.11.30	0x4ab0	Name error (3)	waieucykau.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.494137049 CEST	1.1.1.1	192.168.11.30	0x8189	Name error (3)	dieqnoxgfoxb.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.629539967 CEST	1.1.1.1	192.168.11.30	0x45a8	Name error (3)	pqkcuqqnpqd.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.814726114 CEST	1.1.1.1	192.168.11.30	0xe093	Name error (3)	hiazdcy.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:13.947834969 CEST	1.1.1.1	192.168.11.30	0x762a	Name error (3)	kqpxtsgpzx.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.082676888 CEST	1.1.1.1	192.168.11.30	0x640a	Name error (3)	vjvslqxmv.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.300617933 CEST	1.1.1.1	192.168.11.30	0xe265	Name error (3)	otykmmxuwhs.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.468369961 CEST	1.1.1.1	192.168.11.30	0xffb	Name error (3)	savdog.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.636611938 CEST	1.1.1.1	192.168.11.30	0x1c72	Name error (3)	jgrfdugjau.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.781891108 CEST	1.1.1.1	192.168.11.30	0x1870	Name error (3)	kkakqqayhyu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:14.967777967 CEST	1.1.1.1	192.168.11.30	0xb3ff	Name error (3)	eedijewjab.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.133441925 CEST	1.1.1.1	192.168.11.30	0xbb55	Name error (3)	hayarmmbzyv.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.268141031 CEST	1.1.1.1	192.168.11.30	0x90b7	Name error (3)	cspcpap.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.403243065 CEST	1.1.1.1	192.168.11.30	0xc76a	Name error (3)	phwbulosja.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.537328005 CEST	1.1.1.1	192.168.11.30	0xbb30	Name error (3)	iaqmeowe.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.673921108 CEST	1.1.1.1	192.168.11.30	0x3897	Name error (3)	bcnuzzk.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.808639050 CEST	1.1.1.1	192.168.11.30	0x58cb	Name error (3)	nhzkbxtuxso.com	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:15.941210985 CEST	1.1.1.1	192.168.11.30	0x6b93	Name error (3)	awbabah.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.174685001 CEST	1.1.1.1	192.168.11.30	0x8d12	Name error (3)	qiaykqoaqe.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.413115978 CEST	1.1.1.1	192.168.11.30	0x9af	Name error (3)	rigtmebyrwk.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.548532963 CEST	1.1.1.1	192.168.11.30	0xf72c	Name error (3)	fyuftjcbykxh.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.715807915 CEST	1.1.1.1	192.168.11.30	0xaae4	Name error (3)	bwvwvtkesnht.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:16.903140068 CEST	1.1.1.1	192.168.11.30	0x4c8d	Name error (3)	ikvzsyc.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.069770098 CEST	1.1.1.1	192.168.11.30	0xc624	Name error (3)	hztehanu.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.202601910 CEST	1.1.1.1	192.168.11.30	0xf4e7	Name error (3)	qsiwcddk.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.369883060 CEST	1.1.1.1	192.168.11.30	0xf58c	Name error (3)	drpgrw.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.606075048 CEST	1.1.1.1	192.168.11.30	0xc1c3	Name error (3)	ocndbcf.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.773010969 CEST	1.1.1.1	192.168.11.30	0x61b0	Name error (3)	pzhnljvmfru.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:17.907826900 CEST	1.1.1.1	192.168.11.30	0xeb91	Name error (3)	nqhldiaq.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.043180943 CEST	1.1.1.1	192.168.11.30	0x737d	Name error (3)	ejguppjem.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.175466061 CEST	1.1.1.1	192.168.11.30	0x25ac	Name error (3)	ufvxhp.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.309672117 CEST	1.1.1.1	192.168.11.30	0x1fb	Name error (3)	xilsfdgn.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:18.443211079 CEST	1.1.1.1	192.168.11.30	0xc45f	No error (0)	qkqsgqekyago.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:21.650276899 CEST	1.1.1.1	192.168.11.30	0xf771	Name error (3)	jtbancuulki.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:21.953766108 CEST	1.1.1.1	192.168.11.30	0x967a	Name error (3)	ykydrbpoxqpu.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.121715069 CEST	1.1.1.1	192.168.11.30	0xc967	Name error (3)	gorfnmtwasl.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.289572954 CEST	1.1.1.1	192.168.11.30	0xff19	Name error (3)	xnsamtpm.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.423259020 CEST	1.1.1.1	192.168.11.30	0x5ef2	Name error (3)	pfqdbsyn.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.657285929 CEST	1.1.1.1	192.168.11.30	0x2ebe	Name error (3)	euuoqg.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.830053091 CEST	1.1.1.1	192.168.11.30	0xa16e	Name error (3)	vtbcnjvmwj.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:22.966583967 CEST	1.1.1.1	192.168.11.30	0x74a3	Name error (3)	xfbeqk.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:23.102112055 CEST	1.1.1.1	192.168.11.30	0xdaac	Name error (3)	pgglnkael.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:23.312868118 CEST	1.1.1.1	192.168.11.30	0xb9f7	No error (0)	buakrgp.org		162.249.65.164	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.549401999 CEST	1.1.1.1	192.168.11.30	0xe144	Name error (3)	xthmhc.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.760077953 CEST	1.1.1.1	192.168.11.30	0x8776	Name error (3)	ebzwtwgch.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:26.957865953 CEST	1.1.1.1	192.168.11.30	0xc2e	Name error (3)	vispyytg.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.126580000 CEST	1.1.1.1	192.168.11.30	0x2cf8	Name error (3)	nifigom.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.260960102 CEST	1.1.1.1	192.168.11.30	0xc16a	Name error (3)	nrayothh.net	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.397468090 CEST	1.1.1.1	192.168.11.30	0x44ac	Name error (3)	zncepwjkjm.info	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.580326080 CEST	1.1.1.1	192.168.11.30	0xab79	Name error (3)	rieoxvzxc.org	none	none	A (IP address)	IN (0x0001)	false
Oct 15, 2024 15:41:27.715879917 CEST	1.1.1.1	192.168.11.30	0x136a	Name error (3)	ystygahkl.info	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

whatismyipaddress.com

www.showmyipaddress.com

www.whatismyip.com

www.myspace.com

lwbjtptjlzji.net

www.facebook.com

xhjwwgwd.info

wsmpvwxb.info

www.imdb.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.30	49799	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:04.374111891 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:04.516160965 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:19 GMT Set-Cookie: __cf_bm=vFT_S.l2plcgNSszqZxPOgQgiPFYZRZLMqFCJEEld24-1728999544-1.0.1.1-EHSRuxvkJWJuVBGRV2yjcQhyuF2aCJydUHQ.fgvhoPxOIwGJ2aKtAlKR4p9asN2ZjHAiiKfaAYh9bkpAawN5Gg; path=/; expires=Tue, 15-Oct-24 14:09:04 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d303690be74a530-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:04.516304970 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:04.516375065 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:04.516447067 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 36 39 30 62 65 37 34 61 35 33 30 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d303690be74a530</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.30	49800	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:05.798021078 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:05.944278955 CEST	874	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:05 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:05 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bOWlpkB%2BD4h6LTkzKg2CEm6CkeI2kdAyNftNuJzjiqp36mKM5jWDoJes55s0jlVH4jdBXrdG9q8MMt09fPc0tqQizBC4iTLSMlymi0OBKkRpFW7NLL2c7ee3KArWoOxWH6UUQx7IA1L8VA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d303699a8bc74a8-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.30	49803	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:09.382644892 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:09.546524048 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:24 GMT Set-Cookie: __cf_bm=M2pH.5UVAhNNH.Yyu5yQnmUkUHU1.4D.3YUCTYw3ECM-1728999549-1.0.1.1-bopzJkuMdqImAjFet6sYo5.tPvWEqFY0WB.rhS7ZHsCkPesBPsyaKg7hRqp5Zkdq2LgFJ0.rlPrvg8gHtx9Z9A; path=/; expires=Tue, 15-Oct-24 14:09:09 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3036b00e68335e-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:09.546600103 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:09.546659946 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:09.546806097 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 36 62 30 30 65 36 38 33 33 35 65 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3036b00e68335e</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.30	49804	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:10.693607092 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:10.855709076 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:25 GMT Set-Cookie: __cf_bm=F8.bHDjOmzZs_uMT4mduv7oWzIO0aOXmCGZTrVaisgw-1728999550-1.0.1.1-B2qV84GVsSKAa9RU2vMfVDryKr8SNGFbfclStkVH9jKPNe4EcI3MAzp7r7ebGlVDD12uGMXzOHZ0VosG1LRfaQ; path=/; expires=Tue, 15-Oct-24 14:09:10 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3036b838ecd9fd-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:10.855818987 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:10.855833054 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:10.856065989 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 36 62 38 33 38 65 63 64 39 66 64 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3036b838ecd9fd</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.30	49805	104.27.206.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:12.154522896 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:12.301763058 CEST	855	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:12 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:12 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MDFzuTpHslNMKOZAfDP0dZs6RIgg6T74jjmXhhgyimVBxhO7UTaizjZyghV1bF5JjhO1ASAo6HaRtDOUmZTLzgt%2Bx9Ce8WW%2Bnapx88cHe8Fqs1b%2Fsvupm6mDqtNIkUOciqhAsg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3036c15cc65c69-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.30	49810	104.27.206.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:17.770518064 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:17.910665989 CEST	855	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:17 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:17 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PBsClwOL3aahqW32d7klmyx9oN7%2FIaiES8YtIvqPQrKDuHCdw%2BcgoK9ZTuBCf46xexMCkbBayS3zNJnGRawowiXlgN7R%2F8P6uwes5gt5TQsoOXNKWMhXwxse5MMgQo5E0kvjbg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3036e47a14d9cd-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.30	49813	104.27.206.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:21.207192898 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:21.357883930 CEST	853	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:21 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:21 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A2O07MoaIHPZjjE98ZPBAVQ8vdev6kbuA3S9gdZsKpPEUMYzyqSOuMaVje6OANWV4tFigdnL2MxIgJcE23%2F7YKQblEvWL50wZGio7GW7J7d21y5afwcHmHaFMv1B%2FXsxHknhaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3036f9fc36da77-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.30	49814	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:22.502989054 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:22.660245895 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:37 GMT Set-Cookie: __cf_bm=dZg45bLLD2l8r0AyDiHaWvLigxUpqs4pfHy9igHniL0-1728999562-1.0.1.1-LVfrx19PQEpVO3A1uisAp544UCxrU2wyDz7nuGEIYh63jslcHdCLA.5uc4TraQROoVk32qfaO1kefZ7d0baYRA; path=/; expires=Tue, 15-Oct-24 14:09:22 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3037020c3725b5-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:22.660382986 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:22.660464048 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:22.660545111 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 30 32 30 63 33 37 32 35 62 35 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3037020c3725b5</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.30	49815	34.111.176.156	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:23.981647015 CEST	175	OUT	GET / HTTP/1.1 Host: www.myspace.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:24.110925913 CEST	213	IN	HTTP/1.1 301 Moved Permanently Cache-Control: private Location: https://www.myspace.com:443/ Content-Length: 0 Date: Tue, 15 Oct 2024 13:39:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.30	49818	35.164.78.200	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:24.542615891 CEST	176	OUT	GET / HTTP/1.1 Host: lwbjtptjlzji.net Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:24.819334030 CEST	422	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 15 Oct 2024 13:39:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=434925d89799094820f2aaeb05e3989f\|102.129.152.200\|1728999564\|1728999564\|0\|1\|0; path=/; domain=.lwbjtptjlzji.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=102.129.152.200; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.30	49819	31.13.67.35	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:24.588140011 CEST	176	OUT	GET / HTTP/1.1 Host: www.facebook.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:24.718518972 CEST	195	IN	HTTP/1.1 301 Moved Permanently Location: https://www.facebook.com/ Content-Type: text/plain Server: proxygen-bolt Date: Tue, 15 Oct 2024 13:39:24 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.30	49820	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:24.855096102 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:25.000981092 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:39 GMT Set-Cookie: __cf_bm=1nE0UCey8XtG83SYPAw7TF23SwXgTybrKUmmMiZ8e0M-1728999564-1.0.1.1-PCfYTXH3LEo.nqE7uCIKN0ddrNInlSBEOLfH4V_PnTCsBpjRjkju8LAANPKTpCGETJBBwLlIxldfqmyQiiY9GQ; path=/; expires=Tue, 15-Oct-24 14:09:24 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d303710be1eb3cb-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:25.001034975 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:25.001058102 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:25.001080036 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 31 30 62 65 31 65 62 33 63 62 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d303710be1eb3cb</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.11.30	49821	85.214.228.140	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:26.076550007 CEST	173	OUT	GET / HTTP/1.1 Host: xhjwwgwd.info Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:26.339117050 CEST	132	IN	HTTP/1.1 404 Not Found Server: nginx/1.27.2 Date: Tue, 15 Oct 2024 13:39:26 GMT Transfer-Encoding: chunked Connection: close
Oct 15, 2024 15:39:26.339226961 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.11.30	49822	104.27.206.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:26.159084082 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:26.307447910 CEST	853	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:26 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:26 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V3AsdWbEr6bUiRQLObjqhRityBcCNqZgLrPYzPeYfObTLdUSaFIyUAH24jJhw6pl3%2BAdtjVKWbqvECW9nsCIqKgsKYrYXBlX%2BckYkCmRUHbqIfpvNup2iwMqEaoU9Ek7KRrqrg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d303718ef68747e-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.11.30	49825	208.100.26.245	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:29.034244061 CEST	173	OUT	GET / HTTP/1.1 Host: wsmpvwxb.info Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:29.201827049 CEST	337	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 15 Oct 2024 13:39:29 GMT Content-Type: text/html Content-Length: 178 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.11.30	49827	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:29.736737013 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:29.880258083 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:44 GMT Set-Cookie: __cf_bm=o27P_8.1Q7o_KBrL5CpxRxlGZhSGfUovhellNCBPt3U-1728999569-1.0.1.1-Ps86dzFA2ySE4s7AvFNH51Q6UAWlflAmCgdZKT8Numd2dOljmq10iyMEuHTieeL1xcUuUExvZhRLWi35mSbwcg; path=/; expires=Tue, 15-Oct-24 14:09:29 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d30372f3ca1746d-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:29.880287886 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:29.880307913 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:29.880330086 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 32 66 33 63 61 31 37 34 36 64 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d30372f3ca1746d</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.11.30	49831	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:33.064106941 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:33.207948923 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:48 GMT Set-Cookie: __cf_bm=5yMpV.In6xs.yigWY4VWH1iNK5oS7aiKe6eBOL4Xifk-1728999573-1.0.1.1-JnW_97jN86t2Hc2gjpQD.0gxMboUGc9PRHzEU1IF6NIdDzzqtTmgEwYXj_toZwGIKC1vOLcnLnPgpNmiv5kzRQ; path=/; expires=Tue, 15-Oct-24 14:09:33 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3037440ce9225d-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:33.207993031 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:33.208008051 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:33.208139896 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 34 34 30 63 65 39 32 32 35 64 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3037440ce9225d</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.11.30	49833	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:34.361063004 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:34.503163099 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:34 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:34 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JQGlqW6wbV57IF3umxusoDZmM9cRVp53Yq0V8sl3dEuz9QMm6BoLb%2BJvOMcHXYKLzDGslarHNq9jPbVFQADQmAw9KLbvDW8EK%2BoSbWp5GY%2BwaUchK2VI34yPjKm0I7pD4QnYbkXC0PIS4g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d30374c280d31f6-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.11.30	49834	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:35.656472921 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:35.819214106 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:50 GMT Set-Cookie: __cf_bm=qs7qpzbLNrRljCKaFh3TJfJ7sOl4FZgA5t_fqo4mAu4-1728999575-1.0.1.1-3H_7CHI.JeMpVjHLXKVzdWV1BdzwWuf7TMPlfa3ZEl1y_8eVvOtwk8EAFv1X49mkRrzgYTtOsu_tCYuV4MJQ5w; path=/; expires=Tue, 15-Oct-24 14:09:35 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3037543adfa65f-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:35.819267035 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:35.819942951 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:35.820050001 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 35 34 33 61 64 66 61 36 35 66 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3037543adfa65f</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.11.30	49838	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:38.240591049 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:38.405069113 CEST	861	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:38 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:38 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cw7DuiWfQkPd6feOLkyAh%2F8%2B%2BK84Rrq9pJH7yklvmLD87kJtVeLe29A5glgFk39ZUtUabhwCWLkaGApLXatlDbQ5%2BgD7%2Bv0QoMVED4meVS95L%2BJFr9ZFwbaYp8zFGcr8JxaaRA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3037646bf69aeb-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.11.30	49842	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:40.562753916 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:40.723990917 CEST	880	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:40 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:40 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BMRZoW6a%2B8EqcRN1L6ACCyyr2fn82iKRj3ADKbkQ9emnTMLRLzCUqSoY3CAQd7nke6FI%2B1kYpRQOjbfZ5uk%2BgpkLXQOr1G1nxM0xWgnHVqxnQqz6pTAhujXNgmhS9khdUS3y1Kf%2FSBBq6g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d303772e8e2336a-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.11.30	49843	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:41.874092102 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:42.018630981 CEST	861	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:41 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:41 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pjZmut6TrV%2Bi0sP2Fn%2FhOF4WrmEpj%2FnF%2ByfvhKmu7rhjdSRLWcNfCGEuVqpdKl8bgGbdmKu08U66IATDN7NwnKdfPvCgohC4ptZoygR76rWqQvaY%2B7ghCR%2BfbAfPjkM6u2whRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d30377b1908a56a-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.11.30	49844	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:43.171327114 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:43.318856955 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:39:58 GMT Set-Cookie: __cf_bm=dEtUiyT5kOMGsoewrlMsH86fIMeO8ARNOZyXV4KvxLc-1728999583-1.0.1.1-2nrQr8tSbJVapw5qb6k7K8P2GeQ3zP_I4.WtE2QiVZCpLYPYbM1JV_VR7iCk6CIJKZK1SHU9pcyiOMcRKNpVMg; path=/; expires=Tue, 15-Oct-24 14:09:43 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3037833af1b3cd-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:43.318959951 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:43.319073915 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:43.319186926 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 38 33 33 61 66 31 62 33 63 64 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3037833af1b3cd</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.11.30	49848	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:45.609272003 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:45.757122993 CEST	855	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:45 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:45 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZxeowAkA3YTnhxzohwQyIXOPO41z65V37zRezgIbpwQudw0lj%2FPvkR73lNGziMNShEuUlVq1YV4OJlEDH0bUHLrA7xnF5%2FXtJljl%2BlIVrCq70kTnplehuVw1DMwn0clrr9Xxvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3037927cdca546-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.11.30	49850	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:46.904325008 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:47.050240040 CEST	859	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:46 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:46 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pNq9DC9x%2BmFU%2BMeP0Kl0b1QtBzQ8qCVprEBv4%2FCZvsESeo4j80XmhxoJphHSysMZIadc6HenpcQywnQs%2BEj5B2QG37t7eWKFMFNAFxitmi0gjde3fxFn2WvJL4Lt%2BXeJolZqzw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d30379a8f0e748b-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.11.30	49851	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:48.200788975 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:48.354157925 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:03 GMT Set-Cookie: __cf_bm=f1HcTp4Mh3lmZto.Gzc.AT5Ix0xG4UgnN2cTfnm2iRk-1728999588-1.0.1.1-PndGfoVIVSCw_zYFFlO4S9q2OnApUbbdX_ls_VTFBflODamZIdtL8gAjAI96qFwu0vC4bJ_HBrDDlC_xHy.cbA; path=/; expires=Tue, 15-Oct-24 14:09:48 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3037a2abeedafd-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:48.354233980 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:48.354248047 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:48.354599953 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 61 32 61 62 65 65 64 61 66 64 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3037a2abeedafd</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.11.30	49853	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:49.497767925 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:49.638871908 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:39:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:04 GMT Set-Cookie: __cf_bm=E3F9TcAbDwxgIw_jB78puRTCDn31ed_XiHjZ2Z3uvN4-1728999589-1.0.1.1-NISv8YYKyxEnb7thEwukTJqj8AFicTZWOM9B2o_vB02haPd6jAM53gFjLxVNWz1og_C84jDYFxq8Q2_ry.x2Ww; path=/; expires=Tue, 15-Oct-24 14:09:49 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3037aace3209d2-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:39:49.638951063 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:39:49.639137030 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:39:49.639149904 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 37 61 61 63 65 33 32 30 39 64 32 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3037aace3209d2</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.11.30	49855	18.64.172.225	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:51.029612064 CEST	172	OUT	GET / HTTP/1.1 Host: www.imdb.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:51.158106089 CEST	586	IN	HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 15 Oct 2024 13:39:51 GMT Content-Type: text/html Content-Length: 167 Connection: close Location: https://www.imdb.com/ X-Cache: Redirect from cloudfront Via: 1.1 7aea57f307e043300c172e8eaaa89c9c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: gFl2VVoiWfvZcZTE8aCnkMnxk-aWyP5xfpzW8KwAl2sxRWRfxBr2Ww== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.11.30	49856	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:51.296087027 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:51.456424952 CEST	857	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:51 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:51 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=epwOg%2FpcoQKDxc%2B20741nAkjSxrNAwxRrApW28EW20FqUJiZiR%2F9JdXxhHy5SPChHa78VrGvemTzX1nRz07L1cRcbujEo6PXmsj0fiNm0Jgvn1IcTFcqO0hPIhy%2BFRxaWMHY4A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3037b5fe44db15-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.11.30	49859	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:52.607188940 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:52.748456001 CEST	882	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:52 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:52 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=acHzw%2BLB%2FUPbXOXVwOyeftiZ8lAZbZgKVcvlQliWal6osR%2FCHLsc0h7eoknn8Xjb6vv03Mm%2FSXuxFeVGL0LF1%2BFYkwYoMlwCvm4QJuqB5QBdH2VewXvXXhweWq6lyYAn7c4cxqZbkP8D6A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3037be3a063349-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.11.30	49861	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:55.045187950 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:55.210267067 CEST	859	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:55 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:55 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R9HAR%2Fizh8nIjq7OU9D5MQl7mQOIgs79ovL1XD0fgO%2BRFLKC7rgIvjheyPZ8fHge52Uti7eUwMubI7NaL48iOvsa%2BsvjvzMhNTrFcM83UsJSG%2BMRmQ%2B2C01WiIe79xyNaMh9aQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3037cd6b348754-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.11.30	49862	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:56.372972012 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:39:56.539766073 CEST	855	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:39:56 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:39:56 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RnU%2BckVPb2zXIGKel4JetLoGz3QW9RpO4kolHdOXh4OVWvRUXK%2FG%2Fn7yfe4podkdH1MZn9C3JNvVmNiHFlz3YPZ23yYzpZjrH5eUJLMwIr8q0ra5jU6MU32GPDQzRuKXwBMrMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3037d5bea59af1-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.11.30	49867	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:39:59.981961966 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:00.122845888 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:00 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:00 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pU4oCPMX%2Bp8BnVKhz7GVjV4Itjb3LLx6iu60Vs0qKvvuCNy2MoeKVTOluUcildyb7ZFAvzqaHXaoZgAKc47wAydfYsQRkviboeUeODETtsoCnOnMhp3rjIPyngAsA%2Bw0QMmT%2BCWdbWNDbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3037ec4d88a658-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.11.30	49871	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:03.307537079 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:03.478085995 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:03 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:03 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QjN1oBsyZTZjUkyK4pw1MPRPBUAJRyqjAtPIJrzEqcx9Z0Xh2EwpBOjZQol28qOIbiqeYc54kXB5Sg9KfXyuNYnxe4ULx54YjRpWTibEZGy1H%2Bb%2BbPjvqyTtdo%2F5txHhME2lqgOP0kOF0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d30380118ef3347-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.11.30	49875	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:05.776717901 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:05.927970886 CEST	857	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:05 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:05 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dKMLP3p%2B43tlT9sspx98II8G7tzrmaMbvJ2cfnJ17onZwqH9A4TUEWklBOB3PeHFANMx8vX8cK%2FX2E3856YExQKIyqyfZqCBqcKgMOFqnvfDpP%2FtsiqRZBSzbPC03MSsyade%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3038107a3c7473-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.11.30	49877	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:08.105302095 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:08.246814966 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:23 GMT Set-Cookie: __cf_bm=pCja678nNOzcnlj8AIl5cqDoL9NDLXz1QeNDVA6F_2I-1728999608-1.0.1.1-jNkPh3_JSqg3HjaMHtTxI59ZJOB0l27_29eyo1YQjFfKtfHTVh8lsilpJR0cgtg2Z6H5vvK3oW_NW5WkTN6BFg; path=/; expires=Tue, 15-Oct-24 14:10:08 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d30381f0e2fa542-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:08.246869087 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:08.246922970 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:08.246948957 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 38 31 66 30 65 32 66 61 35 34 32 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d30381f0e2fa542</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.11.30	49880	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:10.541316986 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:10.686429024 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:10 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:10 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XA4wkJgus%2FEdllf4kwJv2Nk7Io25NRxnIy4DtSTjMNhS87TdSY7fGz8HNlav5y1O1c0KwJP2%2Bl540tbXLAaxlQWWJfavvzUCo8BuICenFii%2BJVMDBQDG3i1HYCQ0WoAfHcaEZeHqBZIBPQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d30382e49863708-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.11.30	49882	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:11.856653929 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:12.037065029 CEST	861	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:11 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:11 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6b2kbeKGKroJ2RjkF%2Fk0SBqyS0yQETabFbHhJTBgt%2FcQuRKU69aSQTP%2BGQEigqg%2BNnptwkXJJJTIs8wiEKn3yAhQQPPgsgVxTK%2FDhLfkDlukZ%2Fkh8DAtSj2oKQyOS5Bw4RAVw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3038368e71a69b-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.11.30	49885	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:14.352721930 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:14.497003078 CEST	863	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:14 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:14 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OO%2Fz4AB1GMYaiTDLhsRbs4IPn%2BukVdMTkkXwd8GX4a3mJjutOnTguL4xVBjzzIJ%2Fw6Yp00FplXj42%2FLlfYU43JG7FzlgI4DPBuM6dF1oPxaDa%2FBQMNGk6uS%2F%2FvWbWXjP5sytIg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3038461bce25e3-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.11.30	49887	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:15.648714066 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:15.792668104 CEST	853	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:15 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:15 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4nHI3vgcDs%2FclhtrOU5JXEbkuE7HtEZ30NTsmiyHrJFlT5JoaM45iRw3VuSKsgNKwqD07tXKFBIdHoERwzd5J5aJ69zRR6oZ1Sn0yn59uALE04upxBJMZ%2FVXCCXTI3hAVHwntg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d30384e3f2c4c01-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.11.30	49889	18.64.172.225	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:17.054218054 CEST	172	OUT	GET / HTTP/1.1 Host: www.imdb.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:17.182926893 CEST	586	IN	HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Tue, 15 Oct 2024 13:40:17 GMT Content-Type: text/html Content-Length: 167 Connection: close Location: https://www.imdb.com/ X-Cache: Redirect from cloudfront Via: 1.1 990b3edf87805fa9b76a37723fae6ba2.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MIA3-P4 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: aUN6_wLwzWxQ5ksu83MNEBm6Y4IJ9HAv-mKMT2-wC-THDTugbWwjfg== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.11.30	49892	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:18.336213112 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:18.490449905 CEST	855	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:18 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:18 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rh8ZzzS2mwuxUe6%2FvfvrcikTbZswLJ4C5Pk2fL8lKJbps1FIvRmZEIrTig9SSIm8SDQ1OVWN4tCjAt32KfBrahRBbWJ1g%2FU80jC9EuhZIDR33rPYGiNZSOWb%2FUySzQ8CfTIptg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d30385ef9077481-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.11.30	49894	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:19.648307085 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:19.797949076 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:19 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:19 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=08VZyWRiPIbxn8AFn2xC6vxXs55bW5xFIyC32bd5e7ebnj%2BcSk83G%2BN61fki1xELkEBs1MKttmIqPFXDZ0rCFeDeLAWvvVmPZ5EE9p9Tty8NexvIMgrVLnpYU2dwCS0q%2Ff1cPeTXkXflSQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3038673fcfda9b-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.11.30	49896	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:20.967335939 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:21.108386040 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:36 GMT Set-Cookie: __cf_bm=FBZ5FeMR7wf3rISjFLmDc0tPNN5B9I35CCWGeBJgFi4-1728999621-1.0.1.1-298NnIQqgeSTU1cH0rOuH6QS0cYt5xc8d.H8nnUWeeXaHzn4.YSG5I7PbSrFxc4fzVKDu6c_One0Gbx0CKgP9w; path=/; expires=Tue, 15-Oct-24 14:10:21 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d30386f7cf52248-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:21.108458996 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:21.108761072 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:21.109281063 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 38 36 66 37 63 66 35 32 32 34 38 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d30386f7cf52248</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.11.30	49897	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:22.258682966 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:22.404212952 CEST	851	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:22 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:22 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U3XdX5BGA9se7pdNRi29lAQDoAZbnXJMAni8Y3triAsXefq0TmwTVQx3gX1reX0KZkg0FLPkqE73725QGo0DMgutWVp1dH9i3C7iIVDrkUGcvFvGG4IAQtN3Rr%2BgvHnSuEE1iw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3038778bc32269-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.11.30	49901	104.27.207.92	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:24.741761923 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:24.893861055 CEST	855	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:24 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:24 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cveyvohVFavoSPEuC1p%2FYqAjYq5kBqqyiUewPp1ffRqkWb2gLMJY51aKqz2zMcR1i0X%2Fugvo5zx%2BbPlA4l3luS6PQ3oso3OC5ciC3bpZM7YDaktoNNZBekcu7FrGI69DIjkHBQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3038870b56495e-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.11.30	49904	104.19.223.79	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:27.067579031 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:27.207514048 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:42 GMT Set-Cookie: __cf_bm=3KmCd1iTglOQmKtxyeKONNrNCnlRmgWQGTWjR52AWUU-1728999627-1.0.1.1-w_UaW0tu59N_neXqjWixCLbUAGXl5Fc1ZSzu5lWp2qGXRcxW8LC2cl8OJp2i9gGaqhcB8ETQwQkqqOGmDVxVjQ; path=/; expires=Tue, 15-Oct-24 14:10:27 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3038959d9aa528-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:27.207623005 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:27.207746029 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:27.207761049 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 38 39 35 39 64 39 61 61 35 32 38 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3038959d9aa528</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.11.30	49905	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:28.365048885 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:28.505347967 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:28 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:28 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KhxOzsHfoOOPo91TTCfFMmPwFU%2FG29hdoo34QzfFlrtPCcVbbbO6uihopc5zWRQi1w3yC0aBDG5nkWYEGqrk1o6InDZGmLI3XuQlpN9luN%2BLMxBRzTwlAVVqA0zGunx40fUhPqD%2BJR2i7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d30389daa0cd9ad-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.11.30	49909	172.67.155.175	80	7864	C:\Users\user\AppData\Local\Temp\zjisvko.exe

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:30.806879997 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:30.950052977 CEST	880	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:30 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:30 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6BdCzNwCIJlj6lKU01CDv2AWmxklqICRwzCmjQBtVknKJbfY8pRADV3eeBm3Du2ILGPO8TDKi1lRZGg89ZaCJnBEymIDBq2JcbuC6ZU5CPCk41B%2B8o%2B2xjtaiduk5Byu0sckA%2FQ%2FgOqfeA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3038ace9d5259a-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.11.30	49913	172.67.155.175	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:33.130750895 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:33.271306992 CEST	882	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:33 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:33 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fLBqussh%2BMNZYACI%2B%2FnpMlV9682rP6%2B76UOvQKZSOAKJ31AiYfiWd7nLe2cCq3Ni3u2ue27YcdnHxdFbcyyVYnmzA2YRWTcnMJM4EGmekpzsPF6QvispNaRqklB5bU7454dc3hBM%2B0oUgA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3038bb7b2d74b8-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.11.30	49914	172.67.155.175	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:34.442751884 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:34.592084885 CEST	880	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:34 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:34 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WGI%2Fz%2FeK8JMJRqjvGmJa%2BerOmH2qJ4uaCzij9dFBQ8aehTLfwYoHGWIDUHKXhvYswSGkSyZgwcaQYNj0UOja5NBmGIVEZMfy%2BTVioDN6LqDvgX4e9FpTNYJvaoUGRQdqeIuhMeWOtF1CMA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3038c3ae868dfc-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.11.30	49915	104.27.207.92	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:35.754916906 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:35.898957968 CEST	859	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:35 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:35 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2BuZBCprcyFokiQnPsj%2BVvdmsWtu4TIySWMzhFGq5QSdHnCLxpnWEWK3r8qp3Cd6nyOONNdxm%2BnaZSc35Kd3e6ZKMu%2B%2BJfhyRTlFgqQzIvLcihvPl4sgCbFDw7qHoRU8ig8kEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3038cbdedb8d9a-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.11.30	49919	104.19.223.79	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:38.194983959 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:38.335241079 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:53 GMT Set-Cookie: __cf_bm=ZUqrKhDp8xQn2DKspgYSS_EbV0bhRxRvgFryELuZ3O0-1728999638-1.0.1.1-upkv__2Z8cWMQyLaTM.2lOXjH2k6AKKbrH.NPjDs6cy7f0js8ACsPjezBVbHt9zJFXgwqaM0mnRp3puZNGxZYA; path=/; expires=Tue, 15-Oct-24 14:10:38 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3038db1c7ca689-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:38.335702896 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:38.335825920 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:38.335880995 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 38 64 62 31 63 37 63 61 36 38 39 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3038db1c7ca689</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port
53	192.168.11.30	49924	104.19.223.79	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:41.536031961 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:41.681519985 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:40:56 GMT Set-Cookie: __cf_bm=R.k1EjMfwQgTcDAR7aOiHCEUxF3je0_1LAbNJSfr2hY-1728999641-1.0.1.1-hpT_lPPXA6iDgRL3peV9w1XsZWO4bh4fJPtetgMjszkNtTwNJCdhW57tQvO2Zn5V_63zqe99GkHtCuMhWQE6Qw; path=/; expires=Tue, 15-Oct-24 14:10:41 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3038efff7031da-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:41.681618929 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:41.681668043 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:41.681732893 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 38 65 66 66 66 37 30 33 31 64 61 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3038efff7031da</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port
54	192.168.11.30	49927	172.67.155.175	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:43.426250935 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:43.570031881 CEST	878	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:43 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:43 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q9sLPVYmJ1KEFvqdC5ZOkKhpbCS1MWS6%2B%2FOa2VvQtAv60EtQa8TqCKGzENP4g6HaS1Nu362d4RLgViVCUPH7%2FjpXoRGs3GuHBF5IRL8f2bg2WXZafqcadhTBznUU8uSbPfVYCOARgOTTTQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d3038fbc9528df4-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
55	192.168.11.30	49932	104.27.207.92	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:47.146018982 CEST	178	OUT	GET / HTTP/1.1 Host: www.whatismyip.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:47.292885065 CEST	853	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:47 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:47 GMT Location: https://www.whatismyip.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zKaAg4NyBcjlsYWyFMO1479SKjPB1B6b4n7O3nMmPEe%2FvgllvnQXxPzgxwyID%2FzkNz3kiZeD9TEdy8xGqWBEfEMb8J7C1rhDaIwxpnnWzNEHHRVhul7ovkDjWqfzebRMGnTdcQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d3039130b09b3e5-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.11.30	49937	104.19.223.79	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:50.485524893 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:50.649286985 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:41:05 GMT Set-Cookie: __cf_bm=L9ZRP8axm0tU__VmuLOhxu8CGxXdjdQqpRsZYn.FkzA-1728999650-1.0.1.1-FZjCQS4a00.yI2KAbXeR8X1BDQ1elTMPrDfNh8Pjoft02bGGUXT_zLhINCcGqU.necUnLQXr4jmkcg.N_AUOGA; path=/; expires=Tue, 15-Oct-24 14:10:50 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d303927fb620318-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:50.649399996 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:50.649415016 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:50.649532080 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 39 32 37 66 62 36 32 30 33 31 38 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d303927fb620318</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port
57	192.168.11.30	49941	104.19.223.79	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:53.671242952 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:53.821479082 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:40:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:41:08 GMT Set-Cookie: __cf_bm=VxVcVL.bDTBTwsANTKK5hYvjky_kE9jqeEGOM8rC_ng-1728999653-1.0.1.1-i51nPqjDsVO5mvKMCy6Q6KaORH_RDD3IzJRoyXRz_XfADhj62xDY4hlpk9v7emruHT5NoCBSLVVGQEtKT0Ndqg; path=/; expires=Tue, 15-Oct-24 14:10:53 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d30393bdf37b3d9-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:40:53.821572065 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:40:53.821587086 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:40:53.821599007 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 39 33 62 64 66 33 37 62 33 64 39 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d30393bdf37b3d9</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port
58	192.168.11.30	49945	172.67.155.175	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:40:57.122663021 CEST	183	OUT	GET / HTTP/1.1 Host: www.showmyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:40:57.265491962 CEST	886	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 15 Oct 2024 13:40:57 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 15 Oct 2024 14:40:57 GMT Location: https://www.showmyipaddress.com/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OOe%2Bj4IyycODoogW6MsBTXwcmKSDXfMCrodaZslDpm%2F%2B7%2Bq9mzXWf9ungYjlo2p2080GOBH1sajl16eWywOXkzU%2FoMAVTNjgYmSNf0%2FlJlEKbRwkIQnr76vr1MF2kf%2FppTncOU80pYtcUw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8d30395169413341-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
59	192.168.11.30	49954	104.19.223.79	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:41:03.746777058 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:41:03.891834021 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:41:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:41:18 GMT Set-Cookie: __cf_bm=qgCPNQUvA4T.cuX9sKX0Um1PtriHgV4WWFUpziUwxXA-1728999663-1.0.1.1-xPz__GkVFyYCwbohpRkZ38DVrzQqFLK87DxAEnqYExO85Tz2xdmqOlo4OYcjMUx9ex1Qa3z5o11wjzex6Zksmw; path=/; expires=Tue, 15-Oct-24 14:11:03 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d30397acb3874a2-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:41:03.891918898 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:41:03.891963959 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:41:03.892040014 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 39 37 61 63 62 33 38 37 34 61 32 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d30397acb3874a2</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Session ID	Source IP	Source Port	Destination IP	Destination Port
60	192.168.11.30	49959	104.19.223.79	80

Timestamp	Bytes transferred	Direction	Data
Oct 15, 2024 15:41:07.323862076 CEST	181	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Accept: / User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Connection: close
Oct 15, 2024 15:41:07.467257977 CEST	1289	IN	HTTP/1.1 403 Forbidden Date: Tue, 15 Oct 2024 13:41:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4526 Connection: close Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 15 Oct 2024 13:41:22 GMT Set-Cookie: __cf_bm=kKmo4ROCqHNKLtwsO9p2yfQAbjF3Px2ckXqGlFgvJYA-1728999667-1.0.1.1-MBsL9KJP394uCiIBBbJeFsnWNcCkO_SuZzg_H1OysuvtKR_FzZvYdFGlmljjIIBLvu_zSabsndOdF4NqwL21hQ; path=/; expires=Tue, 15-Oct-24 14:11:07 GMT; domain=.whatismyipaddress.com; HttpOnly X-Frame-Options: DENY Server: cloudflare CF-RAY: 8d3039912c2e0a0e-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href
Oct 15, 2024 15:41:07.467370033 CEST	1289	IN	Data Raw: 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 Data Ascii: ="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigat
Oct 15, 2024 15:41:07.467385054 CEST	1289	IN	Data Raw: 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 Data Ascii: captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2> <p data-tr
Oct 15, 2024 15:41:07.467396975 CEST	1260	IN	Data Raw: 6c 64 22 3e 38 64 33 30 33 39 39 31 32 63 32 65 30 61 30 65 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 Data Ascii: ld">8d3039912c2e0a0e</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-rev

Target ID:	0
Start time:	09:38:44
Start date:	15/10/2024
Path:	C:\Users\user\Desktop\HqvlYZC7Gf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HqvlYZC7Gf.exe"
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:38:47
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe*"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:38:53
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"
Imagebase:	0x400000
File size:	737'280 bytes
MD5 hash:	6B760F8FDCB57B4FEFC1487B46EF20CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:38:53
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\zjisvko.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\zjisvko.exe" "-C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe"
Imagebase:	0x400000
File size:	737'280 bytes
MD5 hash:	6B760F8FDCB57B4FEFC1487B46EF20CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:38:59
Start date:	15/10/2024
Path:	C:\Windows\ojtoccrezqmarmjwql.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\ojtoccrezqmarmjwql.exe" .
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:39:00
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\ojtoccrezqmarmjwql.exe*."
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:39:07
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe" .
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:39:08
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\bzmkbewmkeduommczxkiz.exe*."
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:39:15
Start date:	15/10/2024
Path:	C:\Windows\mjvsikbqngeunkjyurda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\mjvsikbqngeunkjyurda.exe" .
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:39:16
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\mjvsikbqngeunkjyurda.exe*."
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:39:24
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe" .
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:39:24
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\appdata\local\temp\mjvsikbqngeunkjyurda.exe*."
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:39:32
Start date:	15/10/2024
Path:	C:\Windows\yrzsecpaticodwrc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\yrzsecpaticodwrc.exe"
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:39:40
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe"
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:39:48
Start date:	15/10/2024
Path:	C:\Windows\mjvsikbqngeunkjyurda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\mjvsikbqngeunkjyurda.exe"
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: takyouhoymc.exePID: 7272, Parent PID: 2328

General

Target ID:	17
Start time:	09:39:50
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:39:54
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:39:56
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:39:56
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe"
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: takyouhoymc.exePID: 4852, Parent PID: 2328

General

Target ID:	21
Start time:	09:39:57
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:39:59
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:40:00
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	09:40:01
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	09:40:03
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	09:40:04
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	09:40:04
Start date:	15/10/2024
Path:	C:\Windows\yrzsecpaticodwrc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\yrzsecpaticodwrc.exe" .
Imagebase:	0x400000
File size:	1'040'384 bytes
MD5 hash:	2CDB760530EC92B79EE2BF80371CAC90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	09:40:04
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\windows\yrzsecpaticodwrc.exe*."
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	09:40:05
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	09:40:05
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	09:40:06
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	09:40:07
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	09:40:08
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	09:40:08
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	09:40:09
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\takyouhoymc.exe" "c:\users\user\desktop\hqvlyzc7gf.exe"
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	09:40:10
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x400000
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	09:40:11
Start date:	15/10/2024
Path:	C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	327'680 bytes
MD5 hash:	C2093FBC0B0C6BD085F3AB7056BA31F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	52.1%
Total number of Nodes:	980
Total number of Limit Nodes:	24

Executed Functions

Function 0040A949 Relevance: 276.5, APIs: 156, Strings: 1, Instructions: 1764libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,776AC310,00000000,00000000), ref: 0040A96C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A99C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A9BB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A9DA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A9F9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA18
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA37
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA56
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA75
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA94
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AAB3
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AAD2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AAF1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AB10
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AB2F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AB4E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ABCF
GetLastError.KERNEL32 ref: 0040ABE1
LoadLibraryA.KERNEL32(00000000), ref: 0040AC0D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC35
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC54
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC73
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC92
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ACB1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ACD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ACEF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AD0E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AD2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AD4C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ADB9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ADD8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ADF7
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE16
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE5B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE7A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE99
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AEB8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AED7
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AEF6
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF15
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF34
GetLastError.KERNEL32 ref: 0040AF6D
LoadLibraryA.KERNEL32(00000000), ref: 0040AF99
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AFC1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AFE0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AFFF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B01E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B03D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B05C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B07B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B09A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B0B9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B0D8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B145
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B164
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B183
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1A2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1C1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1E0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1FF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B21E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B267
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B286
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B2A5
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B2C4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B2E3
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B302
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B321
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B340
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B35F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B37E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B39D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B3BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B3DB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B3FA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B419
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B438
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B457
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B4F4
GetLastError.KERNEL32 ref: 0040B501
LoadLibraryA.KERNEL32(00000000), ref: 0040B52D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B555
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B574
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B593
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B5B2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B5D1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B5F0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B60F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B62E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B64D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B66C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B68B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B6AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B6C9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B6E8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B707
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B726
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B745
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B764
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B783
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7A2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7C1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7E0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7FF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B81E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B83D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B85C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B87B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B89A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B8B9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B8D8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B8F7
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B916
GetLastError.KERNEL32 ref: 0040BA33
LoadLibraryA.KERNEL32(00000000), ref: 0040BA5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BA87
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BAA6
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BAC5
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BAE4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB03
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB22
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB60
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB7F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB9E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BBBD
LoadLibraryA.KERNEL32(00000000), ref: 0040BC46
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BC6E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BC8D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BCAC
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BCCB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BCEA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BD09
GetLastError.KERNEL32 ref: 0040BD3A
LoadLibraryA.KERNEL32(00000000), ref: 0040BD66
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BD8A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BDA9
GetLastError.KERNEL32 ref: 0040BDBE
LoadLibraryA.KERNEL32(00000000), ref: 0040BDEA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE12
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE31
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE50
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE8E
GetLastError.KERNEL32 ref: 0040BEB3
LoadLibraryA.KERNEL32(00000000), ref: 0040BEE5
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BF08
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BF29
GetLastError.KERNEL32 ref: 0040BF3A
LoadLibraryA.KERNEL32(00000000), ref: 0040BF66
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BF89
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BFAA
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BFCB
LoadLibraryA.KERNEL32(00000000), ref: 0040BFE9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040C009

Strings

\&LUk, xrefs: 0040B736

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast$HandleModule
String ID: \&LUk
API String ID: 1445086619-3669246032
Opcode ID: 559059990ff643097508b6262fd03eeb35fb8387410a21d0e2ae341eea3bf3a4
Instruction ID: fe00ecd7844f749915d9149580f3465eef428d98f78ac84402cf4c52ab4222cc
Opcode Fuzzy Hash: 559059990ff643097508b6262fd03eeb35fb8387410a21d0e2ae341eea3bf3a4
Instruction Fuzzy Hash: A4C2E1F5D40314AFE751AF50AC82EBA36ACD714705F14057FFA04E1192EFB85A848FAA

Function 0040C7E0 Relevance: 121.3, APIs: 67, Strings: 2, Instructions: 588
registrystringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040C812
lstrcpyA.KERNEL32(?,00000000), ref: 0040C865
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040C895
lstrlenA.KERNEL32(?), ref: 0040C8A8
RegSetValueExA.KERNEL32(?,Shell,00000000,00000001,?,00000000), ref: 0040C8BD
RegCloseKey.ADVAPI32(?), ref: 0040C8C6
Sleep.KERNEL32(00000064), ref: 0040C8CE
lstrlenA.KERNEL32(?), ref: 0040C932
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040C949
RegCloseKey.ADVAPI32(?), ref: 0040C952
Sleep.KERNEL32(00000064), ref: 0040C95A
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040C986
lstrcatA.KERNEL32(?,0042A778), ref: 0040C9C3
Sleep.KERNEL32(00000064), ref: 0040C9CB
lstrlenA.KERNEL32(?), ref: 0040C9D4
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040C9EB
RegCloseKey.KERNEL32(?), ref: 0040C9F4
Sleep.KERNEL32(00000064), ref: 0040C9FC
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CA28
lstrlenA.KERNEL32(?), ref: 0040CA60
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CA77
RegCloseKey.ADVAPI32(?), ref: 0040CA80
Sleep.KERNEL32(00000064), ref: 0040CA88
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CAB4
lstrlenA.KERNEL32(?), ref: 0040CAEC
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CB03
RegCloseKey.KERNEL32(?), ref: 0040CB0C
Sleep.KERNEL32(00000064), ref: 0040CB14
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CB40
lstrcatA.KERNEL32(?,0042A778), ref: 0040CB7D
lstrlenA.KERNEL32(?), ref: 0040CB8A
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CBA1
RegCloseKey.ADVAPI32(?), ref: 0040CBAA
Sleep.KERNEL32(00000064), ref: 0040CBB2
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040CBC0
lstrlenA.KERNEL32(?), ref: 0040CBCD
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CC03
lstrlenA.KERNEL32(?), ref: 0040CC36
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CC4D
RegCloseKey.ADVAPI32(?), ref: 0040CC56
Sleep.KERNEL32(00000064), ref: 0040CC5E
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CC8A
lstrcatA.KERNEL32(?,0042A778), ref: 0040CCC3
lstrlenA.KERNEL32(?), ref: 0040CCD0
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CCE7
RegCloseKey.ADVAPI32(?), ref: 0040CCF0
Sleep.KERNEL32(00000064), ref: 0040CCF8
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CD24
lstrlenA.KERNEL32(?), ref: 0040CD58
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CD6F
RegCloseKey.ADVAPI32(?), ref: 0040CD78
Sleep.KERNEL32(00000064), ref: 0040CD80
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0040C8FA

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

Part of subcall function 0040C7B4: lstrcatA.KERNEL32(76AF0F00,.exe,76AF0F00,0040CE0C,?,?,-00000004), ref: 0040C7D6

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040CD9B
lstrlenA.KERNEL32(?), ref: 0040CDA8
Sleep.KERNEL32(00000064), ref: 0040CDB6
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CDE2
lstrlenA.KERNEL32(?), ref: 0040CE16
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CE2D
RegCloseKey.KERNEL32(?), ref: 0040CE36
Sleep.KERNEL32(00000064), ref: 0040CE3E
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CE6A
lstrcatA.KERNEL32(?,0042A778), ref: 0040CEA3
lstrlenA.KERNEL32(?), ref: 0040CEB0
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CEC7
RegCloseKey.ADVAPI32(?), ref: 0040CED0
Sleep.KERNEL32(00000064), ref: 0040CED8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040CBB4, 0040CD8F
Shell, xrefs: 0040C8B5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$Sleep$CloseCreateValue$lstrcat$lstrcpy$CountTick
String ID: C:\Users\user\AppData\Local\Temp\$Shell
API String ID: 2961240498-2765105148
Opcode ID: 7404fc93447d8bf64e56304fcf3f363a38a5c7cd9712ee1ee70b377c33cd25fb
Instruction ID: 90de6ba1451ff6c394c1e8d4d076b74571b15df8ac0f0f587aead68d2d5e9081
Opcode Fuzzy Hash: 7404fc93447d8bf64e56304fcf3f363a38a5c7cd9712ee1ee70b377c33cd25fb
Instruction Fuzzy Hash: F2123DB2D4021CBFEB21EB90DC8AFEA777DEB44305F1004BAB605A5051EEB45F948E65

Function 00413E36 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E4B
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E52
GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E5C
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000104,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00413E75
GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E81
GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E88
CloseHandle.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F77
SetFileAttributesA.KERNEL32(00000000,00000006,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F82

Strings

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 00413E3C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AttributesCloseCurrentFileHandleInformationOpen
String ID: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\
API String ID: 3498935171-1812980290
Opcode ID: ae00fb54b3492c3a0ace82967610d98ed381333d34f1cc31c124c4b0d0481274
Instruction ID: 790f76d0c7c029a87acee6e2e27f50b46b65660552c2eddc99154039eeec75a8
Opcode Fuzzy Hash: ae00fb54b3492c3a0ace82967610d98ed381333d34f1cc31c124c4b0d0481274
Instruction Fuzzy Hash: DC411B71E00218BBDB209FA1ED4DEEE7FBCEB44705F50006AF901E2160DB749A56DB69

Function 00408D16 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D52
GetVersionExA.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D63
GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,776AC310,00000000), ref: 00408D76
GetProcAddress.KERNEL32(00000000), ref: 00408D7F
GetNativeSystemInfo.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D89
GetSystemInfo.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D91
GetModuleHandleA.KERNEL32(kernel32.dll,GetProductInfo,?,?,?,776AC310,00000000), ref: 00408D9D
GetProcAddress.KERNEL32(00000000), ref: 00408DA0

Strings

kernel32.dll, xrefs: 00408D70, 00408D75, 00408D9C
GetNativeSystemInfo, xrefs: 00408D6B
GetProductInfo, xrefs: 00408D97

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AddressHandleInfoModuleProcSystemVersion$Native
String ID: GetNativeSystemInfo$GetProductInfo$kernel32.dll
API String ID: 3903033433-163341747
Opcode ID: fbbee03e285ec05455dee1f19f6cdfb3ba18d411294cec618d8be033263a36fd
Instruction ID: d88b8f0607474c3343ca8232b8e6d8559b1ef925911f9e6111a5faab946cfceb
Opcode Fuzzy Hash: fbbee03e285ec05455dee1f19f6cdfb3ba18d411294cec618d8be033263a36fd
Instruction Fuzzy Hash: E1219171A0025CDBDB20DFA4DC44E9E7BB8EF48340F54446AF911A7281D738A94ACF69

Function 0040C34F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000), ref: 0040C37A
OpenProcessToken.ADVAPI32(00000000), ref: 0040C381
GetTokenInformation.KERNELBASE(?,00000002,?,00000400,?,C:\Users\user\AppData\Local\Temp\), ref: 0040C3A8
CloseHandle.KERNEL32(?), ref: 0040C3B3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040C392

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 215268677-787714339
Opcode ID: 3fc46e723eba71a1b8dee2f8b2f347e21d2e4dbc9b647d4307064d127fe98ce9
Instruction ID: f3f63443dbc0749890ce36748c36b560e41776e2a16b7f1285e76c09dac5efdf
Opcode Fuzzy Hash: 3fc46e723eba71a1b8dee2f8b2f347e21d2e4dbc9b647d4307064d127fe98ce9
Instruction Fuzzy Hash: B52160B2D00219FBDF119FA49C85AEEBB79BB14301F4081BAEA01B3191DB345A45DF69

Function 00422B93 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0042B7F8,00000060), ref: 00422BB3
GetModuleHandleA.KERNEL32(00000000,?,0042B7F8,00000060), ref: 00422C06
GetCommandLineA.KERNEL32(?,0042B7F8,00000060), ref: 00422C9F
GetStartupInfoA.KERNEL32(?), ref: 00422CF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00422D16

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: HandleModule$CommandInfoLineStartupVersion
String ID:
API String ID: 2778164164-0
Opcode ID: 544791c77213106303abe15329d4be5378e9b9fc1e400ee312837e66c0c246e7
Instruction ID: e61f031dfd1e6ee1ba070bf2223e8a7bfb6b0622ed2d9bb9f5bd357ba4bfd0df
Opcode Fuzzy Hash: 544791c77213106303abe15329d4be5378e9b9fc1e400ee312837e66c0c246e7
Instruction Fuzzy Hash: 2341C670F00631AAD721AF76B90566E77A0AF04715FA0442FE405AB292EBBC9942CB5D

Function 00410BF4 Relevance: 6.0, APIs: 4, Instructions: 32memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Sleep.KERNEL32(0000012C,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C14
GetProcessHeap.KERNEL32(00000008,00413E9A,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C1D
RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$Process$AllocateSleep
String ID:
API String ID: 3409823521-0
Opcode ID: dc8d79010e6cb7fb2a9b52c8fd9bd5d07f5d98b887a2c5e385c4889fd42eb09a
Instruction ID: 01a82105be4d9c68f9512b8fa3753ec40f4bf94fe3f1a858fa601996ad67c288
Opcode Fuzzy Hash: dc8d79010e6cb7fb2a9b52c8fd9bd5d07f5d98b887a2c5e385c4889fd42eb09a
Instruction Fuzzy Hash: D7E0D83274121877C020279BAD45F5BF75CDFD5BA4F414022F704971509AA6686286FA

Function 0040C431 Relevance: 3.0, APIs: 2, Instructions: 23sleepCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0040C440
Sleep.KERNEL32(000003E8), ref: 0040C46A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: a18abad0d9134f67dbb407c31c5c62fbab7a71adb5fb281b7f8a0cd74ff0b0b2
Instruction ID: ec4e0dc912df284146a4d6c4ec45948b48cf9508f1cb833489b9ad9e6170350e
Opcode Fuzzy Hash: a18abad0d9134f67dbb407c31c5c62fbab7a71adb5fb281b7f8a0cd74ff0b0b2
Instruction Fuzzy Hash: C8E0ED32804218EBDB219B95D8896AE7739F741721F610265D801732818A787E429AF9

Function 00406151 Relevance: 84.5, APIs: 56, Instructions: 463
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNEL32(80000001,00000000,76AF23A0,-000927C0,00000011), ref: 00406190
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 004061BA
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004), ref: 004061C8
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000001,00000004), ref: 004061CD
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004), ref: 004061D5
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 00406201
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040622F
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406237
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040623E
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 00406261
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406269
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040628C
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406294
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 004062B7
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004062BF
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 004062E2
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004062EA
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 0040630D
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406315
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406338
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406340
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 00406363
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 0040636B
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040638E
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406396
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 004063B9
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004063C2
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004063CA
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,00000000,00020006,00000000,?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 004063FD
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406405
RegSetValueExA.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 00406428
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406431
Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406439
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000004,00000001,00000004), ref: 00406465
Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040646D
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,?,?,?,00000000,00000004,00000001), ref: 00406490
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000001,00000004,?,?,?,?,?,00000000,00000004,00000001,00000004), ref: 00406499
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,?,?,?,00000000,00000004,00000001,00000004), ref: 004064A1
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 004064D4
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001,00000004), ref: 004064FB
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406504
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040650C
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001), ref: 0040653F
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091,00000004), ref: 00406566
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091,00000004,?,?,00000000), ref: 0040656E
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091), ref: 00406591
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091,00000004,?,?,00000000), ref: 00406599
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 004065BC
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004065C4
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 004065E7
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004065EF
RegSetValueExA.KERNEL32(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406612
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 0040661A
RegSetValueExA.KERNEL32(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 0040663D
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406646
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 0040664E

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$Value$CloseCreate
String ID:
API String ID: 3184397383-0
Opcode ID: 93dc55894faf6f814b2ddcf65b5400ae89b31cf79d55cf43324b23fa800c9202
Instruction ID: 2bdb2e7eba901f38f779a2f5ef2eb5fdc224b4dd96516dc32fec66fda6d992c8
Opcode Fuzzy Hash: 93dc55894faf6f814b2ddcf65b5400ae89b31cf79d55cf43324b23fa800c9202
Instruction Fuzzy Hash: B6E11FB6A40218BEE711ABD1DC4AEFF7F7CDB44B05F50007ABA04A1092EA715F949B35

Function 0040DA5B Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 190
stringthreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00458D80,76AF0A60,00000000), ref: 0040DA72
SetErrorMode.KERNEL32(00008003), ref: 0040DAC5
GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00000104), ref: 0040DAFF
lstrcatA.KERNEL32(C:\Windows\system32\,0042A3B0), ref: 0040DB0B
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000001), ref: 0040DB4C
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000001), ref: 0040DB9B
WSAStartup.WS2_32(00000101,?), ref: 0040DBFE
InitializeCriticalSection.KERNEL32(0044F7B8), ref: 0040DC09
InitializeCriticalSection.KERNEL32(0044F79C), ref: 0040DC10
InitializeCriticalSection.KERNEL32(00459708), ref: 0040DC17
InitializeCriticalSection.KERNEL32(0045983C), ref: 0040DC1E
InitializeCriticalSection.KERNEL32(0044F7E0), ref: 0040DC25
InitializeCriticalSection.KERNEL32(00459674), ref: 0040DC2C
InitializeCriticalSection.KERNEL32(004596EC), ref: 0040DC33
InitializeCriticalSection.KERNEL32(004596D4), ref: 0040DC3A
InitializeCriticalSection.KERNEL32(004596BC), ref: 0040DC41
InitializeCriticalSection.KERNEL32(004596A4), ref: 0040DC48
InitializeCriticalSection.KERNEL32(0045968C), ref: 0040DC4F

Part of subcall function 0040C54E: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 0040C591
Part of subcall function 0040C54E: CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0040C5A7
Part of subcall function 0040C54E: GetLastError.KERNEL32 ref: 0040C5AF
Part of subcall function 0040C54E: CloseHandle.KERNEL32(00000000), ref: 0040C5BA

CreateThread.KERNEL32(00000000,00000000,0040C431,00000000,00000000,00000000), ref: 0040DC8A
CreateThread.KERNEL32(00000000,00000000,0040D1D8,00000000,00000000,00000000), ref: 0040DC96

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040DB47, 0040DB96, 0040DBB8
C:\Windows\system32\, xrefs: 0040DAF9, 0040DAFE, 0040DB0A, 0040DB11

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalInitializeSection$Create$ErrorMutexThreadlstrcpy$CloseDirectoryHandleLastModeOpenStartupSystemlstrcat
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$C:\Windows\system32\
API String ID: 3287937100-2541385624
Opcode ID: 9633477999c02ddfe6c2a7f9c99b52244ab6714c580f5a93abaa768d4b997d80
Instruction ID: 4a85369abd0a2a9a89e7fd51754485e40c171d24ce782e2c1052b94615d691b9
Opcode Fuzzy Hash: 9633477999c02ddfe6c2a7f9c99b52244ab6714c580f5a93abaa768d4b997d80
Instruction Fuzzy Hash: CF518D71A44254AAEA217BF56C46FAB3A589F4175AF25003BFC41311C38ABC5C4ECA7F

Function 0040D59D Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,776AC310,00000000,00000000), ref: 0040D5FF
lstrlenA.KERNEL32(00000000), ref: 0040D608
lstrcpyA.KERNEL32(?,00000000), ref: 0040D6A3
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040D6B8
lstrcatA.KERNEL32(?,?), ref: 0040D6C5
lstrcatA.KERNEL32(?,0040DBCB), ref: 0040D6D1
lstrcpyA.KERNEL32(?,00000000), ref: 0040D6E1
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040D6EB
lstrcatA.KERNEL32(?,?), ref: 0040D6F8
lstrcatA.KERNEL32(?,0042A570), ref: 0040D706
lstrcatA.KERNEL32(?,0040DBCB), ref: 0040D712
GetCurrentProcess.KERNEL32(00000080), ref: 0040D738
SetPriorityClass.KERNEL32(00000000), ref: 0040D73F
Sleep.KERNEL32(000000C8), ref: 0040D755
ShellExecuteA.SHELL32(00000000,00000000,?,0040DBCB,00000000,00000001), ref: 0040D7AA
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,?), ref: 0040D7BE
GetCurrentProcess.KERNEL32(00000020), ref: 0040D7C2
SetPriorityClass.KERNEL32(00000000), ref: 0040D7C9

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040D5F3, 0040D768, 0040D76D, 0040D783, 0040D798, 0040D7BD

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$lstrcpy$ClassCurrentPriorityProcess$ExecuteShellSleeplstrlen
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 2073929028-2091069259
Opcode ID: b81710890596d086b68fea6b726275e9a4db65c3f40f31fbfe46a78a7b9d0545
Instruction ID: 1a0aace4e15970706aaa44d2e18305b865cd50f5bf73cf5a6aff2fe7f313b9f7
Opcode Fuzzy Hash: b81710890596d086b68fea6b726275e9a4db65c3f40f31fbfe46a78a7b9d0545
Instruction Fuzzy Hash: A351C672C00658AADF219BE09C49FDFBB7CAF44301F0404ABE548B3181DA759B89CF69

Function 004017F4 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 315
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

SetFileAttributesA.KERNEL32(?,00000080), ref: 00401857
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401871
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040188B
CloseHandle.KERNEL32(00000000), ref: 00401892
GetTickCount.KERNEL32 ref: 0040192E

Strings

B, xrefs: 004018F2
B, xrefs: 00401988
no key, xrefs: 004018D7, 0040196E
(, xrefs: 00401B15

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandle$AttributesCountReadSizeTick
String ID: ($no key$B$B
API String ID: 1796527405-2363439422
Opcode ID: b24affbcf6bccaa63e0d47b82a2edc9452599d9e918e857ba6cd2f70874563eb
Instruction ID: 99ae764c1ea9729c4b7b0c9cd9d2d79b54af91cbee982e745e221d5f3147cf5d
Opcode Fuzzy Hash: b24affbcf6bccaa63e0d47b82a2edc9452599d9e918e857ba6cd2f70874563eb
Instruction Fuzzy Hash: E2B14BB2E00214EBDB209BA5DC45BEEB7B9EF04314F44407AF901B72A1D7789E51CB99

Function 0040D1D8 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 91
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 0040D21B
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040D223
lstrcatA.KERNEL32(00000000,.exe), ref: 0040D254

Part of subcall function 00414D8E: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0040D2A9,00000000), ref: 00414DA4

lstrlenA.KERNEL32(00000000), ref: 0040D22A

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040D276
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040D27E
lstrlenA.KERNEL32(00000000), ref: 0040D285
lstrcatA.KERNEL32(?,.exe), ref: 0040D29D
GetTickCount.KERNEL32 ref: 0040D2B6
GetTickCount.KERNEL32 ref: 0040D2CA
GetTickCount.KERNEL32 ref: 0040D2D5
Sleep.KERNEL32(00002710), ref: 0040D2E4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040D26C
C:\Windows\system32\, xrefs: 0040D211
.exe, xrefs: 0040D24B, 0040D297

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$CountTicklstrlen$lstrcpy$CreateFileSleep
String ID: .exe$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 157799668-577769959
Opcode ID: a14428d9e2af36542f807380719714de05a372dac77148e5a00d34e4d435e05c
Instruction ID: 1dd661079137dd266a11f3d998b1c56a89a9d41e77c259510d1bc51e0b0dfb00
Opcode Fuzzy Hash: a14428d9e2af36542f807380719714de05a372dac77148e5a00d34e4d435e05c
Instruction Fuzzy Hash: 8A21A772504315ABC610FFA0EC4599BB7DCAB84310F11082FF941A3193DA78D95D8BAB

Function 0040CEDF Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 99
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000000,0042A788), ref: 0040CF28
lstrcatA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 0040CF3C
lstrcatA.KERNEL32(00000000,0042A784), ref: 0040CF4A
lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\), ref: 0040CF59

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

lstrlenA.KERNEL32(00000000,-00000005), ref: 0040CF72

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcatA.KERNEL32(00000000,.exe), ref: 0040CF93
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 0040CFCF
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\takyouhoymc.exe,00000000,00000000), ref: 0040CFE3
ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000001), ref: 0040D00B

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040CF30
C:\Users\user\AppData\Local\Temp\, xrefs: 0040CF4C, 0040CF51, 0040CFF8
.exe, xrefs: 0040CF87
C:\Users\user\AppData\Local\Temp\takyouhoymc.exe, xrefs: 0040CFDE

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$lstrcatlstrlen$Attributeslstrcpy$CloseCopyCreateExecuteHandleShellSize
String ID: .exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\takyouhoymc.exe$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 3499175425-1914881269
Opcode ID: 24e34c12a7353faee238a2288893e0d00ab5e7609692cd2730c9dbbfb4d67edc
Instruction ID: 841bb2694eb70e705f06205daaf3cb89c723d915824e048fd7700e84ea31da65
Opcode Fuzzy Hash: 24e34c12a7353faee238a2288893e0d00ab5e7609692cd2730c9dbbfb4d67edc
Instruction Fuzzy Hash: 1F318872A04219ABDB20E7A4DC49FD977AC9B54305F5004E7F644E20C1DFB8ABC98F69

Function 0040C6A0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\,776AC310,76AF0F10,00000000), ref: 0040C6D2
lstrlenA.KERNEL32(00000000), ref: 0040C6E1

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcatA.KERNEL32(?,.exe), ref: 0040C70F

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 0040C748
lstrlenA.KERNEL32(00000000), ref: 0040C751
lstrcatA.KERNEL32(00000000,.exe), ref: 0040C772
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0040C7AD

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040C7A8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040C6C6
C:\Windows\system32\, xrefs: 0040C73C
.exe, xrefs: 0040C707, 0040C76C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcpylstrlen$lstrcat$AttributesFile
String ID: .exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$C:\Windows\system32\
API String ID: 3674745152-3356367058
Opcode ID: b6df891b65a45cc2a615300a5c9184ea6f316ab2b91bf69aa434291407f973ad
Instruction ID: b179360706abfde640a6b66b940e8fe839b2ad012b079806e7e9c2bb175f0aee
Opcode Fuzzy Hash: b6df891b65a45cc2a615300a5c9184ea6f316ab2b91bf69aa434291407f973ad
Instruction Fuzzy Hash: BD315072D0021DEADF15DBD4DC46AED77BCAB48305F6008ABE604B3181E7B89B859F58

Function 0040C018 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 58
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,C:\Users\user\AppData\Local\Temp\,00000104,C:\Users\user\AppData\Local\Temp\,?,00000000,0040D80A), ref: 0040C02D

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,-00000006,?,00000000,0040D80A), ref: 0040C042

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

Part of subcall function 00413E36: GetCurrentProcess.KERNEL32(00000008,?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E4B
Part of subcall function 00413E36: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E52
Part of subcall function 00413E36: GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E5C

SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,00000000,0040D80A), ref: 0040C058
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0042A3B0,?,00000000,0040D80A), ref: 0040C064
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,00000000,0040D80A), ref: 0040C071
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,-0000000C,?,00000000,0040D80A), ref: 0040C084

Part of subcall function 00413E36: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000104,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00413E75
Part of subcall function 00413E36: GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E81
Part of subcall function 00413E36: GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E88
Part of subcall function 00413E36: CloseHandle.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F77
Part of subcall function 00413E36: SetFileAttributesA.KERNEL32(00000000,00000006,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F82

SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,?,?,?,00000000,0040D80A), ref: 0040C09A
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,0042A3B0,?,?,?,?,00000000,0040D80A), ref: 0040C0A6

Strings

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\, xrefs: 0040C06B, 0040C070, 0040C083, 0040C08E, 0040C0A5
C:\Users\user\AppData\Local\Temp\, xrefs: 0040C020, 0040C022
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 0040C027, 0040C02C, 0040C041, 0040C04C, 0040C057, 0040C063, 0040C06A, 0040C099

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$AttributesErrorFileLast$ProcessTokenlstrcatlstrcpy$CloseCurrentHandleInformationOpen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\
API String ID: 1705690235-91685041
Opcode ID: a22528a4bd3f7e1b7169bd5d19fea0fd725bc73e28345ff0d74c62af98b68780
Instruction ID: d73920bf5ce4dfd11cd3351f73f73b1dc2511ad9cee57e00e81c4fc8d553fe06
Opcode Fuzzy Hash: a22528a4bd3f7e1b7169bd5d19fea0fd725bc73e28345ff0d74c62af98b68780
Instruction Fuzzy Hash: CE0184B3B4121073C1213B21AC8BFBF3A1D9F82726F04402AFD0595142CF5C566A46BF

Function 0040C0B1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,?), ref: 0040C0F4
lstrcpyA.KERNEL32(4941262305804196,?), ref: 0040C104
GetVolumeInformationA.KERNEL32(0040DB1D,00000000,00000000,00000063,00000000,00000000,00000000,00000000), ref: 0040C136
lstrcatA.KERNEL32(4941262305804196,?), ref: 0040C152

Strings

c, xrefs: 0040C0ED
C:\Windows\system32\, xrefs: 0040C0BA, 0040C11A
2, xrefs: 0040C0E6
4941262305804196, xrefs: 0040C0FE, 0040C103, 0040C151

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ComputerInformationNameVolumelstrcatlstrcpy
String ID: 2$4941262305804196$C:\Windows\system32\$c
API String ID: 96996548-2816264590
Opcode ID: d84cf7e1718c1e54ac5a1dacb7e25b78403c8476962d3321682ff539aece8d81
Instruction ID: 22708223c646a178d41bc95d92e2a0f814173ae4769f9c09350c61bb9050823e
Opcode Fuzzy Hash: d84cf7e1718c1e54ac5a1dacb7e25b78403c8476962d3321682ff539aece8d81
Instruction Fuzzy Hash: 90114F72A4121CBFDB01DBE8DC85EEEBBBCFB18344F140466F600E6041DB745A198B65

Function 0040D09A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000,00000000), ref: 0040D0B1
lstrcpyA.KERNEL32(00000000,0040D1D5,776AC310), ref: 0040D0DB
lstrlenA.KERNEL32(00000000), ref: 0040D0E8
lstrcatA.KERNEL32(00000000,.exe), ref: 0040D11C
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 0040D12E
SetFileAttributesA.KERNEL32(00000000,00000007), ref: 0040D148

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040D0AB, 0040D0B0, 0040D137
.exe, xrefs: 0040D116

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AttributesFilelstrlen$lstrcatlstrcpy
String ID: .exe$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 1691315094-628786359
Opcode ID: 495355920ec7953673e0eef587f14138d5ede02e4b128155301275f2b9f1aee0
Instruction ID: bba8a6c5f5bab5744c0c80198fd7e287e6b0401e6d4ca0dbf8b47a0fecc87264
Opcode Fuzzy Hash: 495355920ec7953673e0eef587f14138d5ede02e4b128155301275f2b9f1aee0
Instruction Fuzzy Hash: D211E972904218EAEB209B94DC45BDD77ACDB05314F1044A6E940E7182D7F86BD98FA5

Function 00413BCF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413C25
CreateFileA.KERNEL32(0040D13D,40000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413C3D
ReadFile.KERNEL32(?,?,0040D13D,?,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413C6B
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413C7D
CloseHandle.KERNEL32(?,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413CAB
CloseHandle.KERNEL32(?,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413CB2

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 00413BD5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandle$ReadSizeWrite
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 1842372638-2091069259
Opcode ID: c1c920c90bf58fdbc3e8cb355cb3d56a9521444a16e49114f34270d3f8be6db9
Instruction ID: 8831f88d7733d5c323c613fc166e52a429560689813e7087c96eeecf3537979f
Opcode Fuzzy Hash: c1c920c90bf58fdbc3e8cb355cb3d56a9521444a16e49114f34270d3f8be6db9
Instruction Fuzzy Hash: 0C31AD72D00209BFDF119FA5CC84AEFBB78EB04355F10406AF510B2290E7345A92CBA8

Function 0040D158 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D09A: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000,00000000), ref: 0040D0B1
Part of subcall function 0040D09A: lstrcpyA.KERNEL32(00000000,0040D1D5,776AC310), ref: 0040D0DB
Part of subcall function 0040D09A: lstrlenA.KERNEL32(00000000), ref: 0040D0E8
Part of subcall function 0040D09A: lstrcatA.KERNEL32(00000000,.exe), ref: 0040D11C
Part of subcall function 0040D09A: SetFileAttributesA.KERNEL32(00000000,00000080), ref: 0040D12E
Part of subcall function 0040D09A: SetFileAttributesA.KERNEL32(00000000,00000007), ref: 0040D148

GetWindowsDirectoryA.KERNEL32(?,C:\Windows\system32\), ref: 0040D18B
lstrlenA.KERNEL32(?), ref: 0040D19C
lstrcatA.KERNEL32(0000005C,0042A3B0), ref: 0040D1B8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040D1CB
C:\Windows\system32\, xrefs: 0040D173
\, xrefs: 0040D1A2

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$AttributesFilelstrcat$DirectoryWindowslstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\$\
API String ID: 2968102200-2806058128
Opcode ID: 2ed7aec3453b3e2aff95835a4acf487c9ae87da3e95239a0db27f53eae31b2c8
Instruction ID: 7a1d7f8a24643269cf3a04ab3bcaf447689481d6c68f54a33154304281eb3d5c
Opcode Fuzzy Hash: 2ed7aec3453b3e2aff95835a4acf487c9ae87da3e95239a0db27f53eae31b2c8
Instruction Fuzzy Hash: 52F04471E083086ADB2097E09D0ABD677A85B14309F5404BAE9C5F11C5DEBC95CD8A19

Function 0040D7D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\takyouhoymc.exe,00000104,776AC310,00000000,0040DBDD), ref: 0040D7DF
GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\), ref: 0040D7EC
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0042A3B0), ref: 0040D7F8

Part of subcall function 00414BF8: lstrcpyA.KERNEL32(00000001,00000002,776AC310,00000000,?,0040DB17,C:\Windows\system32\), ref: 00414C42

Part of subcall function 0040C018: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,C:\Users\user\AppData\Local\Temp\,00000104,C:\Users\user\AppData\Local\Temp\,?,00000000,0040D80A), ref: 0040C02D
Part of subcall function 0040C018: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,-00000006,?,00000000,0040D80A), ref: 0040C042
Part of subcall function 0040C018: SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,00000000,0040D80A), ref: 0040C058
Part of subcall function 0040C018: lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0042A3B0,?,00000000,0040D80A), ref: 0040C064
Part of subcall function 0040C018: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,00000000,0040D80A), ref: 0040C071
Part of subcall function 0040C018: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,-0000000C,?,00000000,0040D80A), ref: 0040C084
Part of subcall function 0040C018: SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,?,?,?,00000000,0040D80A), ref: 0040C09A
Part of subcall function 0040C018: lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,0042A3B0,?,?,?,?,00000000,0040D80A), ref: 0040C0A6

Part of subcall function 0040C34F: GetCurrentProcess.KERNEL32(00000008,?,00000000), ref: 0040C37A
Part of subcall function 0040C34F: OpenProcessToken.ADVAPI32(00000000), ref: 0040C381

Part of subcall function 00415EAD: RegCreateKeyExA.KERNEL32(80000002,00000000,0040D819,00000000,C:\Users\user\AppData\Local\Temp\), ref: 00415EE9
Part of subcall function 00415EAD: RegSetValueExA.KERNEL32(0040D819,00000000,?,?,00000000,00000004,?,00000004), ref: 00415F12
Part of subcall function 00415EAD: RegCloseKey.ADVAPI32(0040D819,?,?,00000000,00000004,?,00000004), ref: 00415F1B

Part of subcall function 00415C5F: RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 00415CA3

GetTickCount.KERNEL32 ref: 0040D832

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040D7E5, 0040D7EA, 0040D7F7, 0040D7FE
C:\Users\user\AppData\Local\Temp\takyouhoymc.exe, xrefs: 0040D7D8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Filelstrcatlstrcpy$AttributesOpenProcesslstrlen$CloseCountCreateCurrentModuleNamePathTempTickTokenValue
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
API String ID: 312997863-849940345
Opcode ID: 66a191b1396e23743340b3bf8f99a660aa270ad2aa5ebc0f0f600cc81104f07c
Instruction ID: 34194b556595efbbea820b7bb6b9162989cf9261f3116618f2beeb079c5b6fcb
Opcode Fuzzy Hash: 66a191b1396e23743340b3bf8f99a660aa270ad2aa5ebc0f0f600cc81104f07c
Instruction Fuzzy Hash: D7F05E32606350ABC3117BA66C09B8A2AA49B92716F44403EFC09A1193CF7D845E87BE

Function 00423D5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,00423EB5,00428591,?,00423ED5,00000000), ref: 00423D61
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00423D71
ExitProcess.KERNEL32 ref: 00423D85

Strings

CorExitProcess, xrefs: 00423D6B
mscoree.dll, xrefs: 00423D5C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 73766fcf5377165176eb8aa766b74b14e4662fc7e278a5af44fe28294c543645
Instruction ID: d681029f06332e7bb9a77ada203d812da5940a19e6021aafab7c3ebf6d4e0ead
Opcode Fuzzy Hash: 73766fcf5377165176eb8aa766b74b14e4662fc7e278a5af44fe28294c543645
Instruction Fuzzy Hash: 63D0C730740211ABDA102F71BC4DA2A3768FF40B02B844439B805D0160CB38D927E61E

Function 00415EAD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(80000002,00000000,0040D819,00000000,C:\Users\user\AppData\Local\Temp\), ref: 00415EE9
RegSetValueExA.KERNEL32(0040D819,00000000,?,?,00000000,00000004,?,00000004), ref: 00415F12
RegCloseKey.ADVAPI32(0040D819,?,?,00000000,00000004,?,00000004), ref: 00415F1B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00415EB6

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CloseCreateValue
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1818849710-787714339
Opcode ID: 40e6c71a992a7c2e8f09d534d622b9993dff3e98155a1071289031704242a58b
Instruction ID: d33b6102d000e128b126aea15ab64def901b4170a75cf8a89fc65d3170fde99c
Opcode Fuzzy Hash: 40e6c71a992a7c2e8f09d534d622b9993dff3e98155a1071289031704242a58b
Instruction Fuzzy Hash: 4DF036B1941238BADB109B919C4AFEF7F7CEF05755F504075BA04E1051DA705B48C7A5

Function 0040D4A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000043), ref: 0040D4AB

Part of subcall function 00413DD8: ExitWindowsEx.USER32(00000006,00050005), ref: 00413DED

Sleep.KERNEL32(000001F4), ref: 0040D4C5
Sleep.KERNEL32(shutdown -r), ref: 0040D4D8

Strings

shutdown -r, xrefs: 0040D4C7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CallbackDispatcherExitUserWindows
String ID: shutdown -r
API String ID: 2129780474-3966090723
Opcode ID: d65347461eb1159606083e011ae0f0cf97533425740c30ccdfe41762bb4e863b
Instruction ID: d656d09b155cd6634d9f5f8501bfea0dcfe2fee2f2a7f8f05d117fa0df0b0c8d
Opcode Fuzzy Hash: d65347461eb1159606083e011ae0f0cf97533425740c30ccdfe41762bb4e863b
Instruction Fuzzy Hash: 72D0C730B842219BD5203FE15D0775D39646F10715F81007FAD457A1D1CEBDA6619A6F

Function 00415C5F Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 00415CA3
RegQueryValueExA.KERNEL32(00000000,00000000,?,?,00000000,?,00000001,?), ref: 00415CD9
RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000001,?), ref: 00415CE6
RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000001,?), ref: 00415CEE

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: a491de724d99324340aeb177c98d6297e6913b01a10ba44178b77f50eafc96a5
Instruction ID: 351be250b04c206962fd1380f2a074eff5c3e03c83a55a2369d373208c135491
Opcode Fuzzy Hash: a491de724d99324340aeb177c98d6297e6913b01a10ba44178b77f50eafc96a5
Instruction Fuzzy Hash: 43115EB1A00218FFEB119FA0DC46FEEBBBCAB04705F50047AA505E5082EB749A449B69

Function 0040C54E Relevance: 6.0, APIs: 4, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 0040C591
CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0040C5A7
GetLastError.KERNEL32 ref: 0040C5AF
CloseHandle.KERNEL32(00000000), ref: 0040C5BA

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Mutex$CloseCreateErrorHandleLastOpenlstrlen
String ID:
API String ID: 592644537-0
Opcode ID: 000a1266c8250fe00c398a31faa2c87a8f7fc2f543a9cf41a7e6eb80620c8649
Instruction ID: c80b6dc3ec81cb7e527f81272f8b9e0629b83a31c53efe65eae3f0c2fc373074
Opcode Fuzzy Hash: 000a1266c8250fe00c398a31faa2c87a8f7fc2f543a9cf41a7e6eb80620c8649
Instruction Fuzzy Hash: 4001DB36500224BBDB325B64DC45FE63BACAB08750F0001B7FA45E61C1DAB49B898EA9

Function 0040D016 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C472: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 0040C4B4

ShellExecuteA.SHELL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000,00000000,00000001), ref: 0040D06C
Sleep.KERNEL32(000007D0), ref: 0040D080

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040D065

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ExecuteMutexOpenShellSleep
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 3313497417-2091069259
Opcode ID: 8dd72d10b48480686d8a68e1f1a7e5594e31e5efcd4691a26b6dd1b9084c5060
Instruction ID: 3e9c2417071d30d14c851cbdd2542e738391786d2d5ab44393d6f6cb1bd2832f
Opcode Fuzzy Hash: 8dd72d10b48480686d8a68e1f1a7e5594e31e5efcd4691a26b6dd1b9084c5060
Instruction Fuzzy Hash: 59F0AF61AC1214A9FE2067F09C92FF713080B1231EF14013BBD84B60C3CAAD0C4ED26D

Function 00401E2A Relevance: 4.6, APIs: 3, Instructions: 62fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

CreateFileA.KERNEL32(0040C791,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,76AE83C0,76AE8A60,?,0040C791,00000000), ref: 00401E78
ReadFile.KERNEL32(00000000,00000000,00000000,0040C791,00000000,?,00000000,76AE83C0,76AE8A60,?,0040C791,00000000), ref: 00401E8E
CloseHandle.KERNEL32(?,?,00000000,76AE83C0,76AE8A60,?,0040C791,00000000), ref: 00401E97

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandle$ReadSize
String ID:
API String ID: 544545239-0
Opcode ID: e69d7c9796f7011418dbdc12bb5b1820b9feb26d2d6a72cc67a0287690586167
Instruction ID: 70d0acc40c6bbc286e2840f8266f4b633dd67f2653dc02f1a20cf65559c156c9
Opcode Fuzzy Hash: e69d7c9796f7011418dbdc12bb5b1820b9feb26d2d6a72cc67a0287690586167
Instruction Fuzzy Hash: 8A0126719042087BDB212BA59C89EFF3F6CDF423A8F10016AF901720D1DA7D0A5686A9

Function 0041382B Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: a7e7e2852162d901733bd9cb003451e439e81ea291194a1f39b14b788c7c5ea1
Instruction ID: 4a430e91a8f863336b2687282291e13684705547ea1748166e0690fd64c8d12b
Opcode Fuzzy Hash: a7e7e2852162d901733bd9cb003451e439e81ea291194a1f39b14b788c7c5ea1
Instruction Fuzzy Hash: 98E0C23639022077D7301737AC0EFA73DA9EBC6F31F040134FE01E2190C9644962C265

Function 00425B9F Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00422C60,00000000,?,0042B7F8,00000060), ref: 00425BB0

Part of subcall function 00427433: HeapAlloc.KERNEL32(00000000,00000140,00425BD8,000003F8,?,0042B7F8,00000060), ref: 00427440

HeapDestroy.KERNEL32(?,0042B7F8,00000060), ref: 00425BE3

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 515d63fb8d1a4909140f08a63f5b198cdef78c224400cc72ab3f26efe8c330c1
Instruction ID: 7544e6c939ce91180a6ab0966c6dc760d355c7477ffebe0e505c52c9fcc3e56c
Opcode Fuzzy Hash: 515d63fb8d1a4909140f08a63f5b198cdef78c224400cc72ab3f26efe8c330c1
Instruction Fuzzy Hash: 5AE04870B547505BDB116F71BD0572A7EF4DB44757FD4043AF400C9190FB789550D50A

Function 00410C3B Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 969254deb2add1187b88b354c7ae7fe4fc641dc09986d8278be8f81eb28bda17
Instruction ID: a6d593b0423ec023e5a7d9a3c9df955ab54794e0b81865e68d434db1e99dc6aa
Opcode Fuzzy Hash: 969254deb2add1187b88b354c7ae7fe4fc641dc09986d8278be8f81eb28bda17
Instruction Fuzzy Hash: E7C04C35604201EBDF155F909A0CB4A7A68AB54702F40C414B646910A0A6B58491EF56

Function 00414D8E Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0040D2A9,00000000), ref: 00414DA4

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: be5cc59e789f861664658e48bd89c188ad812a6811f4700a052b99e26e539987
Instruction ID: 1e1558fb8b0164460d63e7c9d042b0b03a7d8c51ed854541774a8aeec67ebbc2
Opcode Fuzzy Hash: be5cc59e789f861664658e48bd89c188ad812a6811f4700a052b99e26e539987
Instruction Fuzzy Hash: E8C092303C0300BAFE314A00AC07F047611A740F01F304014BB80BC0E085E12165960D

Function 00413A97 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6a766d55de5806cb64bf156286ed74061e33ddd11af47f180c1e3163fbbd4410
Instruction ID: 7233bf50e2f4aa5628624fa1b3fb2043d1fc11f99b5e30410f9e75dee4eb0990
Opcode Fuzzy Hash: 6a766d55de5806cb64bf156286ed74061e33ddd11af47f180c1e3163fbbd4410
Instruction Fuzzy Hash: CEB012753140008BCB1807349C4D04D35506F447317600B7CB033D11F0D721CD71BA01

Non-executed Functions

Function 004095B5 Relevance: 389.7, APIs: 23, Strings: 199, Instructions: 1235keyboardstringsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00007530), ref: 004095CF
Sleep.KERNEL32(0000EA60), ref: 004095EB
Sleep.KERNEL32(00000001), ref: 0040A682
GetKeyState.USER32(00000010), ref: 0040A696
GetAsyncKeyState.USER32(?), ref: 0040A6A8
GetKeyState.USER32(00000014), ref: 0040A6B6
GetKeyState.USER32(00000014), ref: 0040A6E0
GetForegroundWindow.USER32 ref: 0040A73A
GetWindowTextA.USER32(00000000,?,000000C7), ref: 0040A750
lstrlenA.KERNEL32(?), ref: 0040A75D
lstrlenA.KERNEL32(00457AB8), ref: 0040A816
lstrlenA.KERNEL32(00457AB8), ref: 0040A832
lstrcatA.KERNEL32(00457AB8,0042A4DC), ref: 0040A846

Strings

r, xrefs: 0040A300
3, xrefs: 00409BFE
c, xrefs: 0040A61E
h, xrefs: 0040A650
?, xrefs: 0040A101
i, xrefs: 0040A65A
q, xrefs: 0040980E
D, xrefs: 0040A47C
S, xrefs: 0040A472
c, xrefs: 004099E7
n, xrefs: 0040A664
-, xrefs: 0040A596
W, xrefs: 00409EB4
\, xrefs: 00409A80
!, xrefs: 0040A5AA
f, xrefs: 0040A63C
2, xrefs: 0040A378
x, xrefs: 004099D4
/, xrefs: 00409B79
=, xrefs: 004097E6
b, xrefs: 00409A0D
I, xrefs: 00409F26
3, xrefs: 0040A382
s, xrefs: 0040A30A
7, xrefs: 00409787
9, xrefs: 0040A2B6
`, xrefs: 0040A600
2, xrefs: 00409728
E, xrefs: 0040A404
3, xrefs: 0040973B
R, xrefs: 0040A40E
&, xrefs: 00409E1A
a, xrefs: 0040A60A
N, xrefs: 0040A528
X, xrefs: 0040A069
U, xrefs: 00409F13
y, xrefs: 0040A346
n, xrefs: 00409A20
T, xrefs: 0040A418
[, xrefs: 004098CC
H, xrefs: 00409FE4
[C], xrefs: 00409A93
_, xrefs: 00409E66
o, xrefs: 004098A6
1, xrefs: 00409713
L, xrefs: 0040A01D
R, xrefs: 00409EDA
J, xrefs: 00409FF7
P, xrefs: 00409F4C
A, xrefs: 0040A468
M, xrefs: 0040A0C8
O, xrefs: 00409F39
v, xrefs: 004099FA
8, xrefs: 0040A2A9
5, xrefs: 0040A282
u, xrefs: 0040A31E
V, xrefs: 0040A08F
+, xrefs: 00409E79
o, xrefs: 0040A5D8
T, xrefs: 00409EED
C, xrefs: 0040A4EA
r, xrefs: 00409845
k, xrefs: 0040A5F6
b, xrefs: 0040A614
`, xrefs: 00409700
[T], xrefs: 00409E8C
0, xrefs: 004097C0
M, xrefs: 0040A532
Z, xrefs: 0040A056
G, xrefs: 0040A490
-, xrefs: 004097D3
W, xrefs: 0040A3FA
,, xrefs: 00409A46
{C@, xrefs: 0040A3A0
0, xrefs: 0040A241
4, xrefs: 0040A275
3, xrefs: 0040A268
h, xrefs: 00409951
X, xrefs: 0040A4E0
*, xrefs: 00409B8C
", xrefs: 0040A5C4
8, xrefs: 0040979A
Q, xrefs: 00409EA1
f, xrefs: 0040992B
J, xrefs: 0040A4A4
*, xrefs: 0040A21A
[T], xrefs: 004097F9
[<], xrefs: 0040A900, 0040A907
^, xrefs: 00409E0F
{, xrefs: 00409F5F
<, xrefs: 0040A0DB
w, xrefs: 0040A332
m, xrefs: 00409A33
-, xrefs: 0040A227
Z, xrefs: 0040A4D6
9, xrefs: 004097AD
B, xrefs: 0040A4FE
7, xrefs: 0040A29C
s, xrefs: 00409905
N, xrefs: 0040A0B5
e, xrefs: 0040A632
#, xrefs: 0040A5BA
j, xrefs: 0040A5E2
@, xrefs: 00409DBD
8, xrefs: 0040A3B4
9, xrefs: 0040A3BE
g, xrefs: 0040993E
d, xrefs: 0040A628
9, xrefs: 00409C70
U, xrefs: 0040A42C
,, xrefs: 0040A582
B, xrefs: 0040A0A2
5, xrefs: 0040A396
%, xrefs: 00409DF6
], xrefs: 004098DF
\, xrefs: 0040A578
*, xrefs: 00409E2D
>, xrefs: 0040A0EE
Y, xrefs: 0040A422
4, xrefs: 0040A38C
V, xrefs: 0040A4F4
6, xrefs: 0040A28F
m, xrefs: 0040A5EC
#, xrefs: 00409DD0
5, xrefs: 00409761
x, xrefs: 0040A33C
|, xrefs: 0040A114
~, xrefs: 00409D97
, xrefs: 00409ABC
+, xrefs: 0040A234
a, xrefs: 004098F2
q, xrefs: 0040A2F6
A, xrefs: 00409F85
k, xrefs: 00409975
7, xrefs: 0040A3AA
z, xrefs: 004099C1
[, xrefs: 0040A56E
v, xrefs: 0040A328
1, xrefs: 00409BD8
t, xrefs: 0040A314
6, xrefs: 00409C37
u, xrefs: 00409880
F, xrefs: 00409FBE
G, xrefs: 00409FD1
0, xrefs: 0040A3C8
F, xrefs: 0040A486
i, xrefs: 00409893
y, xrefs: 0040986D
0, xrefs: 00409BC3
O, xrefs: 0040A440
+, xrefs: 00409BB2
L, xrefs: 0040A4B8
e, xrefs: 00409834
1, xrefs: 0040A36E
/, xrefs: 00409A6D
7, xrefs: 00409C4A
Y, xrefs: 00409F00
}, xrefs: 00409F72
p, xrefs: 0040A2EC
g, xrefs: 0040A646
", xrefs: 0040A043
4, xrefs: 0040974E
w, xrefs: 00409821
K, xrefs: 0040A00A
$, xrefs: 0040A5A0
t, xrefs: 0040985A
C, xrefs: 0040A07C
;, xrefs: 0040999B
H, xrefs: 0040A49A
2, xrefs: 0040A25B
4, xrefs: 00409C11
I, xrefs: 0040A436
), xrefs: 00409E53
/, xrefs: 0040A207
{, xrefs: 0040A35A
6, xrefs: 00409774
p, xrefs: 004098B9
2, xrefs: 00409BEB
1, xrefs: 0040A24E
-, xrefs: 00409B9F
E, xrefs: 00409EC7
', xrefs: 004099AE
(, xrefs: 00409E40
K, xrefs: 0040A4AE
8, xrefs: 00409C5D
:, xrefs: 0040A030
d, xrefs: 00409918
$, xrefs: 00409DE3
Q, xrefs: 0040A3F0
[<], xrefs: 0040A914, 0040A91B
z, xrefs: 0040A350
S, xrefs: 00409F98
l, xrefs: 00409988
!, xrefs: 00409DAA
P, xrefs: 0040A44A
j, xrefs: 00409964
D, xrefs: 00409FAB
, xrefs: 0040A865
5, xrefs: 00409C24

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: State$Sleeplstrlen$Window$AsyncForegroundTextlstrcat
String ID: $ $!$!$"$"$#$#$$$$$%$&$'$($)$*$*$*$+$+$+$,$,$-$-$-$-$/$/$/$0$0$0$0$1$1$1$1$2$2$2$2$3$3$3$3$4$4$4$4$5$5$5$5$6$6$6$7$7$7$7$8$8$8$8$9$9$9$9$:$;$<$=$>$?$@$A$A$B$B$C$C$D$D$E$E$F$F$G$G$H$H$I$I$J$J$K$K$L$L$M$M$N$N$O$O$P$P$Q$Q$R$R$S$S$T$T$U$U$V$V$W$W$X$X$Y$Y$Z$Z$[$[$[<]$[<]$[C]$[T]$[T]$\$\$]$^$_$`$`$a$a$b$b$c$c$d$d$e$e$f$f$g$g$h$h$i$i$j$j$k$k$l$m$m$n$n$o$o$p$p$q$q$r$r$s$s$t$t$u$u$v$v$w$w$x$x$y$y$z$z${${${C@$|$}$~
API String ID: 3575194195-3582245935
Opcode ID: 8854861286730337773018bca92a435ae2a34e7a5e9d0326d75932680d368b89
Instruction ID: df153dc5a53d45ebde2be742832d1a1b3fb3dbbf52d9bd87248e0ab54d23e74c
Opcode Fuzzy Hash: 8854861286730337773018bca92a435ae2a34e7a5e9d0326d75932680d368b89
Instruction Fuzzy Hash: 5AB2FB75924628AEDB62CB68CC053DBBBB1AF48345F4148E5C20CF7150DBB56F898F4A

Function 004034C1 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 350stringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004034D7
lstrcmpA.KERNEL32(00000000,pcid), ref: 00403536
lstrlenA.KERNEL32(?), ref: 0040353F

Strings

tdc, xrefs: 0040384C
pcid, xrefs: 00403530
lsat, xrefs: 004037F2
4941262305804196, xrefs: 00403549
tzs, xrefs: 004038A3
srn, xrefs: 00403746
scc, xrefs: 00403866
sat, xrefs: 004037D5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTicklstrcmplstrlen
String ID: 4941262305804196$lsat$pcid$sat$scc$srn$tdc$tzs
API String ID: 2027369598-293408892
Opcode ID: d83c2739a2cb9d19d5282ff5310fc4918b2ea2d78647d55a05f876a553792e32
Instruction ID: cd2cc601e63a37e43ad3a66486eb1478b7bfac2c886f719d25a3961c064db815
Opcode Fuzzy Hash: d83c2739a2cb9d19d5282ff5310fc4918b2ea2d78647d55a05f876a553792e32
Instruction Fuzzy Hash: 9BB1F331644259FADF226F709C05EAA3FAD5B15B06F508073FC24611E2D33DEA21AB1A

Function 00408912 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 292stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 00408923
wsprintfA.USER32 ref: 0040893E
FindFirstFileA.KERNEL32(?,?), ref: 00408951
wsprintfA.USER32 ref: 004089C5
lstrlenA.KERNEL32(?), ref: 004089F2
lstrlenA.KERNEL32(?,.exe), ref: 00408A2A
lstrcmpiA.KERNEL32(?), ref: 00408A34
lstrlenA.KERNEL32(?), ref: 00408AA1
wsprintfA.USER32 ref: 00408AD9
GetUserNameA.ADVAPI32(00000000,0000007F), ref: 00408AE9
wsprintfA.USER32 ref: 00408B02
ShellExecuteA.SHELL32(00000000,00000000,takeown,?,00000000,00000000), ref: 00408B19
FindNextFileA.KERNEL32(?,00000010), ref: 00408C90

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

wsprintfA.USER32 ref: 00408B39
ShellExecuteA.SHELL32(00000000,00000000,icacls,?,00000000,00000000), ref: 00408B4E
Sleep.KERNEL32(00001388), ref: 00408B59
lstrcpyA.KERNEL32(?,?), ref: 00408B76
lstrcatA.KERNEL32(?,0042A3B0), ref: 00408B8E
lstrcatA.KERNEL32(?,?), ref: 00408B9B
lstrcatA.KERNEL32(?,?), ref: 00408BAB
LoadLibraryA.KERNEL32(?), ref: 00408BD6
EnumResourceNamesA.KERNEL32(00000000,0000000E,00406D90,00000000), ref: 00408BF1
FreeLibrary.KERNEL32(00000000), ref: 00408C00
MoveFileA.KERNEL32(?,?), ref: 00408C1A
SetFileAttributesA.KERNEL32(?,00000002), ref: 00408C2D

Part of subcall function 00409201: SetFileAttributesA.KERNEL32(00000000,00000080,0040952A,00000000,00402188,00000000), ref: 0040920A
Part of subcall function 00409201: LoadLibraryA.KERNEL32(?,?), ref: 00409223
Part of subcall function 00409201: BeginUpdateResourceA.KERNEL32(?,00000001), ref: 00409236
Part of subcall function 00409201: EnumResourceNamesA.KERNEL32(00000000,0000000E,004091E1,00000000), ref: 0040924B
Part of subcall function 00409201: EndUpdateResourceA.KERNEL32(00000000,00000000), ref: 00409254
Part of subcall function 00409201: FreeLibrary.KERNEL32(00000000), ref: 0040925B

FindClose.KERNEL32(?), ref: 00408CA3

Strings

common, xrefs: 0040899A
., xrefs: 0040896C
%s\*, xrefs: 00408938
/f "%s", xrefs: 00408AFC
takeown, xrefs: 00408B12
.exe, xrefs: 00408A1E
"%s" /grant %s:D, xrefs: 00408B33
winrar, xrefs: 0040897F
icacls, xrefs: 00408B47
%s\%s, xrefs: 004089BF, 00408AD3

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Filelstrlenwsprintf$LibraryResource$Findlstrcat$AttributesEnumExecuteFreeLoadNamesShellSleepUpdate$BeginCloseFirstMoveNameNextUserlstrcmpilstrcpy
String ID: "%s" /grant %s:D$%s\%s$%s\*$.$.exe$/f "%s"$common$icacls$takeown$winrar
API String ID: 129874200-1007597167
Opcode ID: fef2203b3cafb2106d3b506206465eebb1ea86fbe2a034fd1f88a0c5e7fef4d8
Instruction ID: 2269f8bd79c62046c8ac0baabdbb9edcdb8c59620273d61e71fc7e47dc0d7b65
Opcode Fuzzy Hash: fef2203b3cafb2106d3b506206465eebb1ea86fbe2a034fd1f88a0c5e7fef4d8
Instruction Fuzzy Hash: F5A1847294421CABDF20DBA0DD49FDA77BCAB44305F0440ABE944F2181DB799B898F69

Function 0040901B Relevance: 45.2, APIs: 30, Instructions: 162windowCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040902E
LoadResource.KERNEL32(?,00000000), ref: 00409042
LockResource.KERNEL32(00000000), ref: 0040904F
SizeofResource.KERNEL32(?,00000000), ref: 0040905D
UpdateResourceA.KERNEL32(?,?,?,?,?,00000000), ref: 00409074
LookupIconIdFromDirectoryEx.USER32(?,00000001,00000010,00000010,00000000), ref: 00409086
FindResourceA.KERNEL32(?,?,00000003), ref: 00409097
LoadResource.KERNEL32(?,00000000), ref: 004090A3
LockResource.KERNEL32(00000000), ref: 004090A6
SizeofResource.KERNEL32(?,?), ref: 004090B1
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 004090C6
LookupIconIdFromDirectoryEx.USER32(?,00000001,00000030,00000030,00000000), ref: 004090D8
FindResourceA.KERNEL32(?,?,00000003), ref: 004090E9
LoadResource.KERNEL32(?,00000000), ref: 004090F5
LockResource.KERNEL32(00000000), ref: 004090F8
SizeofResource.KERNEL32(?,?), ref: 00409103
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 00409118
LookupIconIdFromDirectoryEx.USER32(?,00000001,00000020,00000020,00000000), ref: 0040912A
FindResourceA.KERNEL32(?,?,00000003), ref: 0040913B
LoadResource.KERNEL32(?,00000000), ref: 00409147
LockResource.KERNEL32(00000000), ref: 0040914A
SizeofResource.KERNEL32(?,?), ref: 00409155
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 0040916A
FindResourceA.KERNEL32(?,00000000,00000003), ref: 0040917E
LoadResource.KERNEL32(?,00000000), ref: 0040918E
LockResource.KERNEL32(00000000), ref: 00409191
SizeofResource.KERNEL32(?,?), ref: 0040919C
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 004091B3
FreeResource.KERNEL32(?), ref: 004091CE
FreeResource.KERNEL32(?), ref: 004091D4

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofUpdate$DirectoryFromIconLookup$Free
String ID:
API String ID: 4293049711-0
Opcode ID: a1d6c37a740b477b33ebc72f89dac7cc81a38640dfe682816ad91298d220abaf
Instruction ID: 117c28e06bb043129752a4c397bc6654641652e639958cb8c3de27d6e2a33916
Opcode Fuzzy Hash: a1d6c37a740b477b33ebc72f89dac7cc81a38640dfe682816ad91298d220abaf
Instruction Fuzzy Hash: 3E512E71518300BFE7125F61DD05F2FBAEDFF89B04F400919FA84A1160C676CA219F6A

Function 00412FDD Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 336sleepstringnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00412FF4
GetTickCount.KERNEL32 ref: 00412FF6
GetTickCount.KERNEL32 ref: 0041304E
GetTickCount.KERNEL32 ref: 0041307A
GetTickCount.KERNEL32 ref: 004130E4
GetTickCount.KERNEL32 ref: 0041312D
GetTickCount.KERNEL32 ref: 00413150
GetTickCount.KERNEL32 ref: 004131AA
Sleep.KERNEL32(00000003), ref: 004131D0
GetTickCount.KERNEL32 ref: 004131E8
lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\), ref: 00413218
lstrlenA.KERNEL32(00000000,00000027), ref: 00413227
GetTickCount.KERNEL32 ref: 00413249
Sleep.KERNEL32(00000064), ref: 00413255
GetTickCount.KERNEL32 ref: 004132AE

Part of subcall function 004015BB: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004015F4
Part of subcall function 004015BB: ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040160B
Part of subcall function 004015BB: CloseHandle.KERNEL32(00000000), ref: 00401612

GetTickCount.KERNEL32 ref: 00413321
GetTickCount.KERNEL32 ref: 00413342
Sleep.KERNEL32(000000FD), ref: 0041336A
Sleep.KERNEL32(0000EA60), ref: 00413378
InternetGetConnectedState.WININET(?,00000000), ref: 0041337F
GetTickCount.KERNEL32 ref: 004133E3
GetTickCount.KERNEL32 ref: 00413406

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0041302D, 004131EF
C:\Users\user\AppData\Local\Temp\, xrefs: 0041320C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$Sleep$File$CloseConnectedCreateHandleInternetReadStatelstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 2589685863-1343724464
Opcode ID: b31ac0d480c363e4102ade8ff76a0215a76fb5044318200e4b3b47ad19a756fb
Instruction ID: b377c5010cb92b842955c200201b203a8470812258737c0f6d08faac805126b8
Opcode Fuzzy Hash: b31ac0d480c363e4102ade8ff76a0215a76fb5044318200e4b3b47ad19a756fb
Instruction Fuzzy Hash: DCC1D131804349DADB21EFA4D9457EEBBB0AB05316F24046FD814A3292DBBC9EC5C75E

Function 00401000 Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 190stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00401010
wsprintfA.USER32 ref: 00401028
FindFirstFileA.KERNEL32(?,?), ref: 0040103F
wsprintfA.USER32 ref: 0040108E
lstrcpyA.KERNEL32(?,?), ref: 004011CA
lstrcatA.KERNEL32(?,0042A3B0), ref: 004011D4
lstrcatA.KERNEL32(?,?), ref: 004011E4
lstrcpyA.KERNEL32(?,?), ref: 00401215
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040121B
lstrcatA.KERNEL32(?,?), ref: 0040122B
CopyFileA.KERNEL32(?,?,00000001), ref: 0040123D
FindNextFileA.KERNEL32(?,00000010), ref: 0040124D
FindClose.KERNEL32(?), ref: 00401260

Strings

.3gp, xrefs: 00401194
.ppt, xrefs: 0040114F
.bmp, xrefs: 0040117D
%s\*, xrefs: 00401022
.jpeg, xrefs: 00401102
.gif, xrefs: 00401138
.rtf, xrefs: 0040111D
.txt, xrefs: 004011AB
.xls, xrefs: 00401166
.jpg, xrefs: 004010E7
.doc, xrefs: 004010CC
%s\%s, xrefs: 00401088

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$FileFind$lstrcpywsprintf$CloseCopyFirstNextSleep
String ID: %s\%s$%s\*$.3gp$.bmp$.doc$.gif$.jpeg$.jpg$.ppt$.rtf$.txt$.xls
API String ID: 410483186-4223433645
Opcode ID: 1bcf79c679bfb750c70df176564b50a258270a4ebb8da8457167ef855b4bdc68
Instruction ID: 8443bdfcda034cd6fdbb2585da044ab3805babf66fc6f46138fa2843509b9348
Opcode Fuzzy Hash: 1bcf79c679bfb750c70df176564b50a258270a4ebb8da8457167ef855b4bdc68
Instruction Fuzzy Hash: A55174B29043589BDF25DBA0ED49BDE77ACEB08315F5400ABFD04E2190E778DB948B19

Function 0041EDCD Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 248stringwindownativeCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0041EE25
CreateThread.KERNEL32(00000000,00000000,0041EBD9,00000000,00000000,00000000), ref: 0041EE92
GetTickCount.KERNEL32 ref: 0041EEB2
lstrcpynA.KERNEL32(0045B918,?,00000001), ref: 0041EEF0
lstrcpyA.KERNEL32(0045B104,0045B92A), ref: 0041F06D
wsprintfA.USER32 ref: 0041F0D1

Part of subcall function 0041D1B7: lstrlenA.KERNEL32(00000002), ref: 0041D1D8

PostQuitMessage.USER32(00000000), ref: 0041F0EF
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0041F101

Strings

CURRENTUSERHANDLE , xrefs: 0041F051
CHATMESSAGE , xrefs: 0041EFD2
SET USERSTATUS DND, xrefs: 0041EE57
MESSAGE , xrefs: 0041EFB2
PONG, xrefs: 0041EEF8
USERS , xrefs: 0041EF49
FILETRANSFER , xrefs: 0041F02D
CHAT , xrefs: 0041EFED
SET CALL %s STATUS FINISHED, xrefs: 0041F0CB
CALL , xrefs: 0041F086
USER , xrefs: 0041EF8F
CHATS , xrefs: 0041F00D
UI_LANGUAGE , xrefs: 0041EF19
PROFILE , xrefs: 0041EF6C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: MessagePostQuit$CountCreateNtdllProc_ThreadTickWindowlstrcpylstrcpynlstrlenwsprintf
String ID: CALL $CHAT $CHATMESSAGE $CHATS $CURRENTUSERHANDLE $FILETRANSFER $MESSAGE $PONG$PROFILE $SET CALL %s STATUS FINISHED$SET USERSTATUS DND$UI_LANGUAGE $USER $USERS
API String ID: 2230958134-1409954666
Opcode ID: 888936b5bfeabbe3d83433d343771e4eec9ac341bedf05c1293056f138848fca
Instruction ID: ff1e2bf0f8754b3fd09514ce30ef34bff699cb29bf99f05bcf49ffc9983ba451
Opcode Fuzzy Hash: 888936b5bfeabbe3d83433d343771e4eec9ac341bedf05c1293056f138848fca
Instruction Fuzzy Hash: 83712CB5B40310F6D7205B22EC42FDB3BA4EB15709F544037FD01A1293E76D9A8A869F

Function 004121EB Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 403networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000000), ref: 00412263
socket.WS2_32(00000002,00000001,00000000), ref: 0041228F
closesocket.WS2_32(00000000), ref: 004122A0
bind.WS2_32(00000000,?,00000010), ref: 004122B4
closesocket.WS2_32(00000000), ref: 00412699

Strings

GET , xrefs: 004125E7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: closesocket$bindhtonssocket
String ID: GET
API String ID: 1339886155-3027191851
Opcode ID: 668f9fc0e6b1926bede2e661f5c29ac8492686b19c3ee1bbfc58fa61b5cf8c33
Instruction ID: d311fc27eb13a375107f39839a4af2a922eccf7441768b3d5e47e018ee900ff6
Opcode Fuzzy Hash: 668f9fc0e6b1926bede2e661f5c29ac8492686b19c3ee1bbfc58fa61b5cf8c33
Instruction Fuzzy Hash: 99D11471910214EFCF149F64ED88AEE77B8FB09355F10012BE516E2291DBB89DA1CB2D

Function 0041C19E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 258sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 0041C1BB
GetTickCount.KERNEL32 ref: 0041C1CB
Sleep.KERNEL32(skype.exe), ref: 0041C1E8
GetTickCount.KERNEL32 ref: 0041C1EA
GetTickCount.KERNEL32 ref: 0041C270
Sleep.KERNEL32(00002710), ref: 0041C29E
Sleep.KERNEL32(000003E8), ref: 0041C2A7
GetTickCount.KERNEL32 ref: 0041C2BD
Sleep.KERNEL32(000003E7), ref: 0041C2DF
GetTickCount.KERNEL32 ref: 0041C2E1
Sleep.KERNEL32(00007530), ref: 0041C303
Sleep.KERNEL32(00001388), ref: 0041C318
Sleep.KERNEL32(0000EA60), ref: 0041C327

Part of subcall function 00414776: EnumWindows.USER32(Function_0001470D,?), ref: 00414780

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

InitializeCriticalSection.KERNEL32(0045A330), ref: 0041C372
InitializeCriticalSection.KERNEL32(00463AB4), ref: 0041C379
InitializeCriticalSection.KERNEL32(0045B020), ref: 0041C380
Sleep.KERNEL32(000003E8), ref: 0041C387
CreateThread.KERNEL32(00000000,00000000,0041C62E,00000000,00000000,00000000), ref: 0041C4AC
CreateThread.KERNEL32(00000000,00000000,004218D6,00000000,00000000,00000000), ref: 0041C4B8
Sleep.KERNEL32(000001F4), ref: 0041C4C4

Strings

skype.exe, xrefs: 0041C1D7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CountTick$CriticalInitializeSection$CreateThread$EnumWindows
String ID: skype.exe
API String ID: 147955496-1432977592
Opcode ID: ae0dd1a123f94e77d99d4edb2041086986a7eea2d600e26643077ea6de868743
Instruction ID: da50cea28471ff58dfe6edcfae1584a9064ff1a257102cfc2779c5ee05b94594
Opcode Fuzzy Hash: ae0dd1a123f94e77d99d4edb2041086986a7eea2d600e26643077ea6de868743
Instruction Fuzzy Hash: D77129B09C8358BEE620A7619CC2BFB375CE70675AF04056BB90956183D77C8CC58A6F

Function 004074A2 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014,?,76AF0F00), ref: 004074B5
wsprintfA.USER32 ref: 004074CA
FindFirstFileA.KERNEL32(?,?), ref: 004074E1
wsprintfA.USER32 ref: 00407525
lstrlenA.KERNEL32(?), ref: 00407550
lstrlenA.KERNEL32(?,.exe), ref: 00407588
lstrcmpiA.KERNEL32(?), ref: 00407592
lstrlenA.KERNEL32(?), ref: 004075CC
wsprintfA.USER32 ref: 0040761C
lstrlenA.KERNEL32(?), ref: 00407629
lstrcpyA.KERNEL32(?,?), ref: 00407641
lstrcatA.KERNEL32(?,0042A3B0), ref: 00407659
lstrcatA.KERNEL32(?,00000000), ref: 00407663
FindNextFileA.KERNEL32(?,00000010), ref: 004076A3
FindClose.KERNEL32(?), ref: 004076B6

Strings

%s\*, xrefs: 004074C4
.exe, xrefs: 0040757C
%s\%s, xrefs: 0040751F, 00407616

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$Findwsprintf$Filelstrcat$CloseFirstNextSleeplstrcmpilstrcpy
String ID: %s\%s$%s\*$.exe
API String ID: 1622304240-2151574129
Opcode ID: dce88a7abbee3731f9dce0cf2455fae8e9f5e9e5ada58549f6767937096a1e83
Instruction ID: b2f26f08b693f8bac722b2e922d27ab4f1d63144c6233fabb21fea4b541305d6
Opcode Fuzzy Hash: dce88a7abbee3731f9dce0cf2455fae8e9f5e9e5ada58549f6767937096a1e83
Instruction Fuzzy Hash: BA51E6B290421CABDF20DFA4DC44EDA77ACAF04314F1044A7FD09E2151DB39EA998F65

Function 00415D7A Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 93sleepstringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C2B: EnumProcesses.PSAPI(?,00001000,?), ref: 00415C48

GetTickCount.KERNEL32 ref: 00415D9E

Part of subcall function 00415C5F: RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 00415CA3

Sleep.KERNEL32(0000012C), ref: 00415DC1
GetTickCount.KERNEL32 ref: 00415DD4
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 00415DF0
lstrlenA.KERNEL32(?,-00000005), ref: 00415E07
lstrcatA.KERNEL32(?,.reg), ref: 00415E23
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 00415E3F
CreateThread.KERNEL32(00000000,00000000,Function_00015C11,00000000,00000000,00000000), ref: 00415E54
GetTickCount.KERNEL32 ref: 00415E5A
Sleep.KERNEL32(00002710), ref: 00415E80
Sleep.KERNEL32(shutdown -r), ref: 00415E93
MessageBoxA.USER32(00000000,Please restart your computer.,Shutdown,00000010), ref: 00415EA2
Sleep.KERNEL32(00002710), ref: 00415EA9

Strings

shutdown -r, xrefs: 00415E82
C:\Users\user\AppData\Local\Temp\, xrefs: 00415DE2
Shutdown, xrefs: 00415E97
.reg, xrefs: 00415E19
Please restart your computer., xrefs: 00415E9C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CountTick$CreateEnumExecuteMessageOpenProcessesShellThreadlstrcatlstrcpylstrlen
String ID: .reg$C:\Users\user\AppData\Local\Temp\$Please restart your computer.$Shutdown$shutdown -r
API String ID: 3291655182-1724939203
Opcode ID: 45a0bc913c3db0820dd0f5aff22c820abbf664c53c8f46483399ef9e7f3ecb88
Instruction ID: f5b4bd09b82acead4b5e9d0ab87140c6dd98665664e3eee1d4988e245c3d49ea
Opcode Fuzzy Hash: 45a0bc913c3db0820dd0f5aff22c820abbf664c53c8f46483399ef9e7f3ecb88
Instruction Fuzzy Hash: 8021D6B2604305EFD310BFA0EC89DDF369CAB80344F50082AF905D2142EAAC899586BF

Function 004092D5 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 114stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,?,00000000), ref: 004092E3
wsprintfA.USER32 ref: 00409304

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

wsprintfA.USER32 ref: 00409318
FindFirstFileA.KERNEL32(?,?), ref: 0040932F
wsprintfA.USER32 ref: 00409379
lstrcpyA.KERNEL32(?,00000026), ref: 004093C7
lstrcatA.KERNEL32(?,0042A3B0), ref: 004093D5
lstrcatA.KERNEL32(?,?), ref: 004093E5
FindNextFileA.KERNEL32(00000000,00000010), ref: 00409414
FindClose.KERNEL32(00000000), ref: 00409427
lstrcpyA.KERNEL32(?,?), ref: 0040943E

Strings

%s\%s*, xrefs: 004092FE
%s\*, xrefs: 00409312
.exe, xrefs: 004093AC
., xrefs: 00409356
%s\%s, xrefs: 00409373

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Findwsprintf$Filelstrcatlstrcpylstrlen$CloseFirstNextSleep
String ID: %s\%s$%s\%s*$%s\*$.$.exe
API String ID: 726025564-1488415943
Opcode ID: f85af95b27df55c0ed87ac530051f9fc08faa1526708873ecf1bcf0a6831bfd3
Instruction ID: 8a5b5f6320cb998d4a51ea96e090637559c7b13efd41aa9022c31fab5c575317
Opcode Fuzzy Hash: f85af95b27df55c0ed87ac530051f9fc08faa1526708873ecf1bcf0a6831bfd3
Instruction Fuzzy Hash: 1F41837690421DABCF219FA0DD88EDA7B6CEF14314F4400A2FD08E2191D779DEA68F95

Function 00407259 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 109stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 0040726C
wsprintfA.USER32 ref: 00407287
FindFirstFileA.KERNEL32(?,?), ref: 0040729A
wsprintfA.USER32 ref: 004072FA
lstrlenA.KERNEL32(?,.rar), ref: 0040732A
lstrcmpiA.KERNEL32(?), ref: 00407334
lstrcpyA.KERNEL32(?,?), ref: 0040734C
lstrlenA.KERNEL32(?), ref: 00407359
wsprintfA.USER32 ref: 0040737A
FindNextFileA.KERNEL32(?,00000010), ref: 004073AB

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

FindClose.KERNEL32(?), ref: 004073BE

Strings

temp, xrefs: 004072D3
%s\*, xrefs: 00407281
.rar, xrefs: 0040731E
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 00407382
%s\%s, xrefs: 004072B2, 004072F8, 00407378

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$Findwsprintf$File$CloseFirstNextSleeplstrcmpilstrcpy
String ID: %s\%s$%s\*$.rar$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\$temp
API String ID: 3465626302-3669658814
Opcode ID: cf356e47ada7b759430fa3678339e03ff21bf4071e37b1c78863decc56c8ba5b
Instruction ID: ccee068b43fa7434496d33a530f361a629b7d78a8a3c796309b93028d32850df
Opcode Fuzzy Hash: cf356e47ada7b759430fa3678339e03ff21bf4071e37b1c78863decc56c8ba5b
Instruction Fuzzy Hash: C941657290425CABDF209BA5DC48FDA777CEB04304F5004A7FD14E2191EA38AA95CF66

Function 00414883 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 99stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,76AE83C0,76AE8A60,00000000), ref: 00414891
wsprintfA.USER32 ref: 004148AF
FindFirstFileA.KERNEL32(?,?), ref: 004148C2
wsprintfA.USER32 ref: 00414905
lstrlenA.KERNEL32(?), ref: 00414946
lstrcmpiA.KERNEL32(?,00000000), ref: 0041495F
lstrcpyA.KERNEL32(?,00000000), ref: 00414973
lstrcatA.KERNEL32(?,0042A3B0), ref: 00414985
lstrcatA.KERNEL32(?,?), ref: 00414995
SetFileAttributesA.KERNEL32(?,00000080), ref: 004149A3
DeleteFileA.KERNEL32(?), ref: 004149B0
FindNextFileA.KERNEL32(00000000,00000010), ref: 004149BE
FindClose.KERNEL32(00000000), ref: 004149CF

Strings

%s\*, xrefs: 004148A9
., xrefs: 004148E2
%s\%s, xrefs: 004148FF

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$Find$lstrcatwsprintf$AttributesCloseDeleteFirstNextSleeplstrcmpilstrcpylstrlen
String ID: %s\%s$%s\*$.
API String ID: 2620824442-2663966076
Opcode ID: fd92c6bfed2bd7e8c494e1457349e005d97c8806da0db38c392aa86de6e5bc65
Instruction ID: 9e4a764dee98d0fe3cbafeb52e22fe68a34b156404d9c119ea68426d0a8c7798
Opcode Fuzzy Hash: fd92c6bfed2bd7e8c494e1457349e005d97c8806da0db38c392aa86de6e5bc65
Instruction Fuzzy Hash: 7A311FB1A0021EABCF21DFA0DD8CFDB777CAB54315F4005A2BA09D2150D6789AA5CF95

Function 00420B22 Relevance: 27.3, APIs: 18, Instructions: 303stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00420500: GetTickCount.KERNEL32 ref: 00420541

GetTickCount.KERNEL32 ref: 00420B33
GetTickCount.KERNEL32 ref: 00420B3F
Sleep.KERNEL32(000001F4,?,?,?,?,0041EA98,?), ref: 00420B4A
GetTickCount.KERNEL32 ref: 00420B59
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420BDC
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420C00
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420C24
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420C48
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420C6C
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420C8C
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420CAC
lstrlenA.KERNEL32(?,?,?,?,?,0041EA98,?), ref: 00420CCC
GetTickCount.KERNEL32 ref: 00420D21
GetTickCount.KERNEL32 ref: 00420D3A

Part of subcall function 0042045D: lstrlenA.KERNEL32 ref: 0042048C

GetTickCount.KERNEL32 ref: 00420DF2
Sleep.KERNEL32(000003E8,?,?,?,?,0041EA98,?), ref: 00420E0D
GetTickCount.KERNEL32 ref: 00420E21
Sleep.KERNEL32(00002710,?,?,?,?,0041EA98,?), ref: 00420E40

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$CountTick$Sleep
String ID:
API String ID: 3409765676-0
Opcode ID: dd5e2e44a8ca26f335627a2657ddf6542905c81e94c6ef195cb35534abcd3b8d
Instruction ID: d9376ad281e1157ce78a842ca65d4016226585deae11d4f2902693360aadc1de
Opcode Fuzzy Hash: dd5e2e44a8ca26f335627a2657ddf6542905c81e94c6ef195cb35534abcd3b8d
Instruction Fuzzy Hash: A491B1703002204FDB35ABA6A944B2F77D26F55348F95095FE88687353CA6DEC82C71E

Function 0040C15D Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 228sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040C2F4

Part of subcall function 0040FB2F: socket.WS2_32(00000002,00000001,00000006), ref: 0040FB65
Part of subcall function 0040FB2F: htons.WS2_32(00000050), ref: 0040FB83
Part of subcall function 0040FB2F: connect.WS2_32(?,?,00000010), ref: 0040FB96
Part of subcall function 0040FB2F: wsprintfA.USER32 ref: 0040FBD0
Part of subcall function 0040FB2F: lstrlenA.KERNEL32(?,00000000), ref: 0040FBE3
Part of subcall function 0040FB2F: send.WS2_32(?,?,00000000), ref: 0040FBF4
Part of subcall function 0040FB2F: select.WS2_32(?,?,00000000,00000000,?), ref: 0040FC3E
Part of subcall function 0040FB2F: __WSAFDIsSet.WS2_32(?,00000001), ref: 0040FC4E
Part of subcall function 0040FB2F: recv.WS2_32(?,?,00000001,00000000), ref: 0040FC6C

Sleep.KERNEL32(00000BB8), ref: 0040C329
GetTickCount.KERNEL32 ref: 0040C33E

Strings

www.facebook.com/, xrefs: 0040C183
www.google.com/, xrefs: 0040C16A
www.blogger.com/, xrefs: 0040C236
www.ebay.com/, xrefs: 0040C2C0
www.imdb.com/, xrefs: 0040C290
www.bbc.co.uk/, xrefs: 0040C272
www.youtube.com/, xrefs: 0040C1BF
www.wikipedia.org/, xrefs: 0040C218
www.adobe.com/, xrefs: 0040C254
www.myspace.com/, xrefs: 0040C1A1
www.yahoo.com/, xrefs: 0040C1DF
www.baidu.com/, xrefs: 0040C2A8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$Sleepconnecthtonslstrlenrecvselectsendsocketwsprintf
String ID: www.adobe.com/$www.baidu.com/$www.bbc.co.uk/$www.blogger.com/$www.ebay.com/$www.facebook.com/$www.google.com/$www.imdb.com/$www.myspace.com/$www.wikipedia.org/$www.yahoo.com/$www.youtube.com/
API String ID: 3648696511-323873284
Opcode ID: 9e277fce805c9b07a1fc8073f56270704cef46285c160d440713ce7cae9850b5
Instruction ID: c479cdd90be6b905ce81e7c7198eb54ca4105a7e4ea340f09c4b04c9a81f1d90
Opcode Fuzzy Hash: 9e277fce805c9b07a1fc8073f56270704cef46285c160d440713ce7cae9850b5
Instruction Fuzzy Hash: 3A51D132910E247EE753DDBCD8012DBB6676F4E311F4205B1EE05FB120D6F66D4A8A86

Function 0040683C Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 118sleepstringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B34: EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
Part of subcall function 00405B34: GetDesktopWindow.USER32 ref: 00405B68
Part of subcall function 00405B34: GetWindowRect.USER32(00000000), ref: 00405B6F
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
Part of subcall function 00405B34: RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,?,00000000), ref: 00405C17
Part of subcall function 00405B34: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00405C37
Part of subcall function 00405B34: RegCloseKey.ADVAPI32(?), ref: 00405C40
Part of subcall function 00405B34: lstrlenA.KERNEL32(?), ref: 00405C70

Part of subcall function 00413D4D: GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
Part of subcall function 00413D4D: OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
Part of subcall function 00413D4D: GetCurrentThread.KERNEL32 ref: 00413D74
Part of subcall function 00413D4D: OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B

CreateThread.KERNEL32(00000000,00000000,0040604A,00000000,00000000,00000000), ref: 0040686A
GetTickCount.KERNEL32 ref: 00406882
Sleep.KERNEL32(00000BB8), ref: 00406899
GetTickCount.KERNEL32 ref: 004068AB
Sleep.KERNEL32(000003E8), ref: 004068BE
EnumProcesses.PSAPI(?,00001000,?), ref: 004068D4
lstrcpyA.KERNEL32(?,unknown), ref: 004068FF
OpenProcess.KERNEL32(00000411,00000000,?), ref: 0040690E
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00406925
GetModuleBaseNameA.PSAPI(00000000,?,?,00000104), ref: 0040693F
TerminateProcess.KERNEL32(00000000,00000000), ref: 00406969
CloseHandle.KERNEL32(00000000), ref: 00406977
EnumWindows.USER32(Function_00005FD0,?), ref: 0040698A

Strings

unknown, xrefs: 004068F3
SeDebugPrivilege, xrefs: 00406850

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Process$DeleteEnumOpenThread$CloseCountCreateCurrentSleepTickTokenWindow$BaseCriticalDesktopEnterHandleModuleModulesNameProcessesRectSectionTerminateValueWindowslstrcpylstrlen
String ID: SeDebugPrivilege$unknown
API String ID: 3286018168-986860467
Opcode ID: 108ff26545c37bdedc217c4026fba8dbb628ae02fdcecc6729b986bc4aa78bf2
Instruction ID: 9c0e891f918fde1bb4dc23caddae53347e05642ca6a43f5c02609fdc1fd254ea
Opcode Fuzzy Hash: 108ff26545c37bdedc217c4026fba8dbb628ae02fdcecc6729b986bc4aa78bf2
Instruction Fuzzy Hash: A84154B1A01304ABEB20ABA19D49FEF777CEB04715F514077FA02F11D1DB78A950CA6A

Function 0042874A Relevance: 25.4, Strings: 20, Instructions: 392COMMON

Download Yara Rule

Strings

+, xrefs: 0042881F
9, xrefs: 004289B8
9, xrefs: 004289C8
0, xrefs: 004288E8
1, xrefs: 004289AF
+, xrefs: 00428932
E, xrefs: 00428833
e, xrefs: 0042883D
0, xrefs: 0042886B
9, xrefs: 004287BB
0, xrefs: 004289D6
0, xrefs: 004289AA
9, xrefs: 00428984
c, xrefs: 00428838
9, xrefs: 00428856
-, xrefs: 0042893B
0, xrefs: 00428829
-, xrefs: 00428824
9, xrefs: 0042880E
C, xrefs: 0042882E

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1153686847
Opcode ID: 02161361985eabf86c4be5559b61c19cae477bc12a4973ce681efbc70b554fc2
Instruction ID: 13fbb91d17da5591b7639b3a89c7a3a9a2319c12c096657787344311cb77cc90
Opcode Fuzzy Hash: 02161361985eabf86c4be5559b61c19cae477bc12a4973ce681efbc70b554fc2
Instruction Fuzzy Hash: C2D1C471F571688EEB258B55F8457BE7BB1FB41300FE8402FD441A6292DE7C9982CB0A

Function 0040E690 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040E6B5
GetTickCount.KERNEL32 ref: 0040E6C8
Sleep.KERNEL32(000003E8), ref: 0040E6D7
GetTickCount.KERNEL32 ref: 0040E6DD
inet_ntoa.WS2_32(00000000), ref: 0040E712
GetTickCount.KERNEL32 ref: 0040E7B6
GetTickCount.KERNEL32 ref: 0040E857
Sleep.KERNEL32(00001388), ref: 0040E893

Strings

255, xrefs: 0040E776
192.168, xrefs: 0040E73A
172.16, xrefs: 0040E74E
127, xrefs: 0040E762

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$Sleep$inet_ntoa
String ID: 127$172.16$192.168$255
API String ID: 3766371725-1322957428
Opcode ID: 6d79fe45ce410cdb1a39a107768565cc25125fac489925a2a0ecbdc1df7054e4
Instruction ID: e9ce9212d15bdc9e776c661dfa3e91f858b0d1ee243409a80d1de8cbc0a324b0
Opcode Fuzzy Hash: 6d79fe45ce410cdb1a39a107768565cc25125fac489925a2a0ecbdc1df7054e4
Instruction Fuzzy Hash: E55105B1A083418AE325DB36D88575BBAE45F91308F480C3FE599A32D2DB7CD568C35E

Function 00406718 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 85stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,76AF23A0,00000011), ref: 00406726
wsprintfA.USER32 ref: 00406741
FindFirstFileA.KERNEL32(?,?), ref: 00406754
wsprintfA.USER32 ref: 00406798
lstrcpyA.KERNEL32(?,00000028,00000000), ref: 004067BB
lstrcatA.KERNEL32(?,0042A3B0), ref: 004067CD
lstrcatA.KERNEL32(?,?), ref: 004067DD
SetFileAttributesA.KERNEL32(?,00000080), ref: 004067F8
FindNextFileA.KERNEL32(00000000,00000010), ref: 00406820
FindClose.KERNEL32(00000000), ref: 00406830

Strings

%s\*, xrefs: 0040673B
%s\%s, xrefs: 00406792

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileFind$lstrcatwsprintf$AttributesCloseFirstNextSleeplstrcpy
String ID: %s\%s$%s\*
API String ID: 2421785216-2848263008
Opcode ID: 1356115cb3018fa68d5a8994a02ea102dc9683ce23fcc945d1d48d7fca45c0de
Instruction ID: 0ecd25e5d59f9a0595605ca4691443b617c16b77e013c2d7aa34b0ccf6123ddf
Opcode Fuzzy Hash: 1356115cb3018fa68d5a8994a02ea102dc9683ce23fcc945d1d48d7fca45c0de
Instruction Fuzzy Hash: 923159B290021DABCF21ABA0DD89FDE777CEB14314F4044A3F905E6050DA749BA5CF55

Function 00407D1E Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 00407D2E
wsprintfA.USER32 ref: 00407D49
FindFirstFileA.KERNEL32(?,?), ref: 00407D5C
wsprintfA.USER32 ref: 00407D92

Part of subcall function 00407BDB: lstrlenA.KERNEL32(?), ref: 00407BE6
Part of subcall function 00407BDB: GetTickCount.KERNEL32 ref: 00407BF1
Part of subcall function 00407BDB: lstrcpyA.KERNEL32(?,.rar), ref: 00407CDD

wsprintfA.USER32 ref: 00407DB6
FindNextFileA.KERNEL32(00000000,00000010), ref: 00407DD6
FindClose.KERNEL32(00000000), ref: 00407DE3

Strings

%s\*, xrefs: 00407D43
., xrefs: 00407D72
%s\%s\%s, xrefs: 00407D8C
%s\%s, xrefs: 00407DB0

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Findwsprintf$File$CloseCountFirstNextSleepTicklstrcpylstrlen
String ID: %s\%s$%s\%s\%s$%s\*$.
API String ID: 2951824930-2482664969
Opcode ID: b551fab8e6f85b9cfb29b3b61362c386f610e7aae9eb25f7f85e37cc7dde5924
Instruction ID: 31ed09feffa5d5b1f6df6013f9e8ad588a4fcfb57bb3d66a0b86f58f988e3b84
Opcode Fuzzy Hash: b551fab8e6f85b9cfb29b3b61362c386f610e7aae9eb25f7f85e37cc7dde5924
Instruction Fuzzy Hash: 80214271D0422DABCF219BA1DC49FEE7B7CEF04754F5400A2FD08E2190E678AB558B96

Function 00410F49 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 65filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00410F57
wsprintfA.USER32 ref: 00410F75
FindFirstFileA.KERNEL32(?,?), ref: 00410F88
wsprintfA.USER32 ref: 00410FC3

Part of subcall function 00410C84: lstrcpyA.KERNEL32(00000000,?), ref: 00410CB8
Part of subcall function 00410C84: lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00410CC6
Part of subcall function 00410C84: lstrlenA.KERNEL32(?), ref: 00410CDD
Part of subcall function 00410C84: lstrlenA.KERNEL32(00000001), ref: 00410D14
Part of subcall function 00410C84: lstrcatA.KERNEL32(00000000,00000000), ref: 00410D26
Part of subcall function 00410C84: lstrlenA.KERNEL32(00000000), ref: 00410D33
Part of subcall function 00410C84: GetTickCount.KERNEL32 ref: 00410D56

Part of subcall function 00410F49: FindClose.KERNEL32(00000000), ref: 00410FF0

FindNextFileA.KERNEL32(00000000,00000010), ref: 00410FFA
FindClose.KERNEL32(00000000), ref: 00411005

Strings

%s\*, xrefs: 00410F6F
., xrefs: 00410FA4
%s\%s, xrefs: 00410FBD

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Find$lstrlen$CloseFilelstrcatwsprintf$CountFirstNextSleepTicklstrcpy
String ID: %s\%s$%s\*$.
API String ID: 1166720965-2663966076
Opcode ID: 7feecf4d70b6509db16cebd3952902a63602dfc2898b091a80137c7e6d057285
Instruction ID: 6dbc7208595d96f97861377e4023f668a4a5fd743d8a18087754becb22f2692f
Opcode Fuzzy Hash: 7feecf4d70b6509db16cebd3952902a63602dfc2898b091a80137c7e6d057285
Instruction Fuzzy Hash: AC11873290021C6BDF319B61DC49FEE777CEB04718F040496FD08D2151E6B89AD68F65

Function 0040604A Relevance: 16.6, APIs: 11, Instructions: 83sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B34: EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
Part of subcall function 00405B34: GetDesktopWindow.USER32 ref: 00405B68
Part of subcall function 00405B34: GetWindowRect.USER32(00000000), ref: 00405B6F
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
Part of subcall function 00405B34: RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,?,00000000), ref: 00405C17
Part of subcall function 00405B34: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00405C37
Part of subcall function 00405B34: RegCloseKey.ADVAPI32(?), ref: 00405C40
Part of subcall function 00405B34: lstrlenA.KERNEL32(?), ref: 00405C70

GetTickCount.KERNEL32 ref: 0040607B
Sleep.KERNEL32(00000BB8,00000001), ref: 0040608C
GetTickCount.KERNEL32 ref: 0040609A
Sleep.KERNEL32(00001388), ref: 004060AE
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004060B4
Process32First.KERNEL32 ref: 004060CF
EnumWindows.USER32(Function_00005FD0,00000128), ref: 00406102
Sleep.KERNEL32(00000002), ref: 0040610D
Process32Next.KERNEL32(00000000,?), ref: 00406119
CloseHandle.KERNEL32(00000000), ref: 00406124
CloseHandle.KERNEL32(00000000), ref: 00406130

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CloseDeleteSleep$CountCreateHandleProcess32TickWindow$CriticalDesktopEnterEnumFirstNextRectSectionSnapshotToolhelp32ValueWindowslstrlen
String ID:
API String ID: 409001591-0
Opcode ID: cc7cc4d475e675ff0496617ce75b784f747ab016b1c6e83c6581fde991853430
Instruction ID: 6d14e935c9f0d40d690cf77a63c9d9c3f0f734b2a94bd45cc227ede2a9c64a07
Opcode Fuzzy Hash: cc7cc4d475e675ff0496617ce75b784f747ab016b1c6e83c6581fde991853430
Instruction Fuzzy Hash: D22105712443009FE720EB709C49B6B77ACEB40315F01093BF956A12C1DB7CD829C66A

Function 00407850 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,76AE8A60,00000000), ref: 00407864
wsprintfA.USER32 ref: 00407883
FindFirstFileA.KERNEL32(?,?), ref: 00407896
wsprintfA.USER32 ref: 004078D4
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040798E
FindClose.KERNEL32(00000000), ref: 004079BA

Strings

%s\*, xrefs: 0040787D
.exe, xrefs: 0040790E
%s\%s, xrefs: 004078CE

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Find$Filewsprintf$CloseFirstNextSleep
String ID: %s\%s$%s\*$.exe
API String ID: 1758027058-2151574129
Opcode ID: 5f073de3dcff7f9fe1fd304a7e1876fc0275856f7beec281107b431e190248e2
Instruction ID: 163c00c7d8bbd4ad810b400cbd44254186020fd6e3715fb87303bc0dc3067a1c
Opcode Fuzzy Hash: 5f073de3dcff7f9fe1fd304a7e1876fc0275856f7beec281107b431e190248e2
Instruction Fuzzy Hash: 8141D772E082285BEF30A7A09D48BDE77AC9F45315F1400B7ED44F2191D77CAA84CB5A

Function 00413D4D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
GetCurrentThread.KERNEL32 ref: 00413D74
OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B
LookupPrivilegeValueA.ADVAPI32(00000000,00000001,=A), ref: 00413D99
AdjustTokenPrivileges.ADVAPI32(0040D4C0,00000000,?,00000000,00000000,00000000), ref: 00413DC2
CloseHandle.KERNEL32(0040D4C0,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413DCD

Strings

=A, xrefs: 00413D91, 00413D94

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Token$CurrentOpenProcessThread$AdjustCloseHandleLookupPrivilegePrivilegesValue
String ID: =A
API String ID: 2466252811-2399317284
Opcode ID: 4fe2538e3e2ea93d9b9fbef1b55b33063fb91e0da2af47dccb38c6a48e1a1dd9
Instruction ID: 475d8baa3e36ee8e1e9a3101c06148507bb2b604236046abb380cd1cc11b1ce2
Opcode Fuzzy Hash: 4fe2538e3e2ea93d9b9fbef1b55b33063fb91e0da2af47dccb38c6a48e1a1dd9
Instruction Fuzzy Hash: FF112A71A01218FFDB109FA09D09DEF7ABCEF04742F504066F901E2150DA349F459BA9

Function 00411356 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000000), ref: 00411375
GetWindowDC.USER32(?), ref: 004113B0
CreateCompatibleDC.GDI32(00000000), ref: 004113BC
CreateCompatibleBitmap.GDI32(00000000,00000000,?), ref: 004113C8
SelectObject.GDI32(?,00000000), ref: 004113D5
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 004113EC

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

DeleteDC.GDI32(?), ref: 00411518
ReleaseDC.USER32(?,?), ref: 00411524
DeleteObject.GDI32(?), ref: 0041152D

Part of subcall function 004112DD: GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041133D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CompatibleCreateDeleteHeapObjectWindow$AllocateBitmapBitsProcessRectReleaseSelect
String ID:
API String ID: 516154677-0
Opcode ID: 42662666fbb734c4210314259c882b64821a0792b7043985fef9a84e3e4a9c2e
Instruction ID: 58c23c49903a31b3a89182b6c7fdb0ade33333abb29496c8dbe0a914effc51ca
Opcode Fuzzy Hash: 42662666fbb734c4210314259c882b64821a0792b7043985fef9a84e3e4a9c2e
Instruction Fuzzy Hash: 3D61AF71E00219EFDF01DFA8C844AFEBBB5FF44315F0440AAE901A6261D7399996CF69

Function 00413A12 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,ServicesActive,000F003F,00000000,00000000,00405B21,00000000,00000001,?,00405BAD), ref: 00413A2B
OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,00405BAD), ref: 00413A45
ControlService.ADVAPI32(00000000,00000001,?,?,00405BAD), ref: 00413A5B
ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00405BAD), ref: 00413A7B
CloseServiceHandle.ADVAPI32(00000000,?,00405BAD), ref: 00413A82
CloseServiceHandle.ADVAPI32(00000000,?,00405BAD), ref: 00413A89

Strings

ServicesActive, xrefs: 00413A1F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Service$CloseHandleOpen$ChangeConfigControlManager
String ID: ServicesActive
API String ID: 1149404821-3071072050
Opcode ID: e339f78d4b0a7e80bd98c81ccaf5d6764f04251041539ca3299aa54bce896337
Instruction ID: f0dc7679a38273aa7a14fa9322e6c16f7626b2359b715fcf80eadf06e85900ad
Opcode Fuzzy Hash: e339f78d4b0a7e80bd98c81ccaf5d6764f04251041539ca3299aa54bce896337
Instruction Fuzzy Hash: FC0168752443947BCB115BB44C88EFF3F2C9F06393F0001A8F650B3281CE6946468339

Function 00413AAC Relevance: 12.1, APIs: 8, Instructions: 116timefileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00413AB3
GetSystemTime.KERNEL32(?), ref: 00413AC4
SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413AFD
SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413B40
SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413B8E
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00413BA5
SetFileTime.KERNEL32(00000000,?,?,?), ref: 00413BBF
CloseHandle.KERNEL32(00000000), ref: 00413BC6

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Time$File$System$CloseCountCreateHandleTick
String ID:
API String ID: 1788265925-0
Opcode ID: 62f3a8fd01e86ba9802440c37d62e379551f9e638d6293a371f93cda34054580
Instruction ID: 6c0202463d9a12d9f3580f39e1f5b74af0f3cd93389b840999671226064c08cf
Opcode Fuzzy Hash: 62f3a8fd01e86ba9802440c37d62e379551f9e638d6293a371f93cda34054580
Instruction Fuzzy Hash: C031B877A90318F2CB14B795AC43BDDB77DAF19324F41002BF601B50A0EBB496468B6D

Function 004139A0 Relevance: 12.0, APIs: 8, Instructions: 43clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(00000001), ref: 004139A3
OpenClipboard.USER32(00000000), ref: 004139AF
GetClipboardData.USER32(00000001), ref: 004139BB
CloseClipboard.USER32 ref: 004139C7
GlobalLock.KERNEL32(00000000), ref: 004139D2
GlobalUnlock.KERNEL32(00000000), ref: 004139DD
GlobalUnlock.KERNEL32(00000000), ref: 00413A00
CloseClipboard.USER32 ref: 00413A06

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Clipboard$Global$CloseUnlock$AvailableDataFormatLockOpen
String ID:
API String ID: 912484346-0
Opcode ID: eae13a3a5f8b141e93e72840e9433ecd6021eb0ab63837767615a28323a228f1
Instruction ID: 04bd896ddc82a1b7a155466ec80384b02c07603a9800962e80aadade4199eafd
Opcode Fuzzy Hash: eae13a3a5f8b141e93e72840e9433ecd6021eb0ab63837767615a28323a228f1
Instruction Fuzzy Hash: 5AF0C2B1310301ABE7106F75AC4DBAB3BACAF54713F00043AF505E2153DFA5D8518A7A

Function 0041394A Relevance: 12.0, APIs: 8, Instructions: 26clipboardstringmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0041394C
EmptyClipboard.USER32 ref: 00413957
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413961
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041396E
GlobalLock.KERNEL32(00000000), ref: 00413977
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413982
GlobalUnlock.KERNEL32(00000000), ref: 00413989
SetClipboardData.USER32(00000001,00000000), ref: 00413992

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlocklstrcpylstrlen
String ID:
API String ID: 3563369359-0
Opcode ID: d1bfc2bec72121191d5fdeca06325dad68d51be11a781bbeb7cc51d1b5ca18e6
Instruction ID: 03cfffbadc2426e9481ae38d35fbcacdd2f81c373927c6d6a8f287d221c63894
Opcode Fuzzy Hash: d1bfc2bec72121191d5fdeca06325dad68d51be11a781bbeb7cc51d1b5ca18e6
Instruction Fuzzy Hash: A1E0C9B1645211EFDB222BA0AD0DBAA3A28FF05753F404464F90A91161CF754962CBBB

Function 0040F488 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 577networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040F4D5
Sleep.KERNEL32(000003E8), ref: 0040FA52

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

gethostname.WS2_32(?,00000080), ref: 0040FAA9
gethostbyname.WS2_32(?), ref: 0040FAB6

Strings

asdf, xrefs: 0040F830
IP: , xrefs: 0040F84E

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$CountSleepTickgethostbynamegethostname
String ID: IP: $asdf
API String ID: 452584736-2391607419
Opcode ID: 675ad9c3315867715e073771c222b3fc62d84ebd2aaea0f34cbab47e72c131b5
Instruction ID: ab9c753e390d52234ecca9495911783dd6aac38805f13ab3233c2d1990d96d36
Opcode Fuzzy Hash: 675ad9c3315867715e073771c222b3fc62d84ebd2aaea0f34cbab47e72c131b5
Instruction Fuzzy Hash: EF0228B2A00248ABDB31EBA4CC51BEB739DAB09304F440477F544B65C3D67C9E4D8B6A

Function 0041F6DA Relevance: 10.6, APIs: 7, Instructions: 77sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041F6ED
GetTickCount.KERNEL32 ref: 0041F6FE
Sleep.KERNEL32(000003E8,?,?,?,?,0041EA98,?), ref: 0041F709
GetTickCount.KERNEL32 ref: 0041F722
GetTickCount.KERNEL32 ref: 0041F733
Sleep.KERNEL32(000003E8,?,?,?,?,0041EA98,?), ref: 0041F73E
Sleep.KERNEL32(000003E8,?,?,?,?,0041EA98,?), ref: 0041F767

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 161cf8bd128d5a51058f7d358cb650ecc025abff49970afb976e8031017e02e2
Instruction ID: 37ab511a8c99d46af37373ac3a2a01bb89e66870ac199741f8ee6592e2accd50
Opcode Fuzzy Hash: 161cf8bd128d5a51058f7d358cb650ecc025abff49970afb976e8031017e02e2
Instruction Fuzzy Hash: 6A215C74640B01CFD720DF69C980AA2B3E5AB04320714897FD5AA87790E738EC8BCB19

Function 004202CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68sleepstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

GetTickCount.KERNEL32 ref: 00420325
Sleep.KERNEL32(0000012C), ref: 00420331
GetTickCount.KERNEL32 ref: 00420366
lstrlenA.KERNEL32(00000000,?,?,?,?,?), ref: 0042038A
GetTickCount.KERNEL32 ref: 00420393

Part of subcall function 00420254: lstrcpyA.KERNEL32(?,?,?,?,76AF23A0), ref: 004202A6

Strings

CHATMESSAGE %s %s, xrefs: 00420347

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTicklstrlen$Sleeplstrcpy
String ID: CHATMESSAGE %s %s
API String ID: 4099572657-2765123567
Opcode ID: 2eaa1224318611654b2d5092452d4982a2b1450a721547f192b0d231ec6be95a
Instruction ID: b7813128639269fd7a031518db9444faf9342c1ad553484321c0b2c6c1a34b36
Opcode Fuzzy Hash: 2eaa1224318611654b2d5092452d4982a2b1450a721547f192b0d231ec6be95a
Instruction Fuzzy Hash: 87112772700218EFCF10AF65EC457997FA49F44304F5040BBEE04A7292CA7CDA158BAE

Function 004069AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46stringsleepCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(000003FF,?), ref: 004069C0
Sleep.KERNEL32(000003E8), ref: 004069DA
lstrcpyA.KERNEL32(?,:\System Volume Information), ref: 004069FC

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

Part of subcall function 00413F8E: GetCurrentProcess.KERNEL32(00000008,00000000,?), ref: 00413FA3
Part of subcall function 00413F8E: OpenProcessToken.ADVAPI32(00000000), ref: 00413FAA
Part of subcall function 00413F8E: GetLastError.KERNEL32 ref: 00413FB4

Part of subcall function 00406718: Sleep.KERNEL32(?,76AF23A0,00000011), ref: 00406726
Part of subcall function 00406718: wsprintfA.USER32 ref: 00406741
Part of subcall function 00406718: FindFirstFileA.KERNEL32(?,?), ref: 00406754
Part of subcall function 00406718: wsprintfA.USER32 ref: 00406798
Part of subcall function 00406718: FindNextFileA.KERNEL32(00000000,00000010), ref: 00406820
Part of subcall function 00406718: FindClose.KERNEL32(00000000), ref: 00406830

lstrlenA.KERNEL32(00000000), ref: 00406A33

Strings

:\System Volume Information, xrefs: 004069F0

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileFind$ProcessSleepwsprintf$AttributesCloseCurrentDriveErrorFirstLastLogicalNextOpenStringsTokenlstrcpylstrlen
String ID: :\System Volume Information
API String ID: 37162560-840427735
Opcode ID: 5622b39cc6e52f87ce0823d298bcf23ef7ce75b917dd8e64b3bfb3e20339746b
Instruction ID: 3a35d430a8b653277afed3024383a8c970a327806e4800319cf946ad7f90d972
Opcode Fuzzy Hash: 5622b39cc6e52f87ce0823d298bcf23ef7ce75b917dd8e64b3bfb3e20339746b
Instruction Fuzzy Hash: 72012B719441695BDB20AB648C09FEA776C5B01301F8000A2A9C5B2181DA786BD68F59

Function 0042185B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0042185F
GetTickCount.KERNEL32 ref: 00421892
Sleep.KERNEL32(00000064,?,?,76AF23A0), ref: 0042189E
Sleep.KERNEL32(000003E8,?,?,76AF23A0), ref: 004218B5

Strings

(9F, xrefs: 00421871

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountSleepTick
String ID: (9F
API String ID: 2804873075-1478797141
Opcode ID: 563e7cb43550c95dcfdcc4b756396648e8eae4d2fb5d0f5d49cce62bc54be093
Instruction ID: 602608fe2a53e29e7fbdf509ec23d8455fc930f4c724492092ef177562ae7c18
Opcode Fuzzy Hash: 563e7cb43550c95dcfdcc4b756396648e8eae4d2fb5d0f5d49cce62bc54be093
Instruction Fuzzy Hash: 38F05961B083A46FE3106760FC84B2F3B488B62369F444036FC88512A2D75A0924C27F

Function 00405F6F Relevance: 7.5, APIs: 5, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B34: EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
Part of subcall function 00405B34: GetDesktopWindow.USER32 ref: 00405B68
Part of subcall function 00405B34: GetWindowRect.USER32(00000000), ref: 00405B6F
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
Part of subcall function 00405B34: RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,?,00000000), ref: 00405C17
Part of subcall function 00405B34: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00405C37
Part of subcall function 00405B34: RegCloseKey.ADVAPI32(?), ref: 00405C40
Part of subcall function 00405B34: lstrlenA.KERNEL32(?), ref: 00405C70

GetTickCount.KERNEL32 ref: 00405F9D
Sleep.KERNEL32(00000BB8,00000001), ref: 00405FA8
GetTickCount.KERNEL32 ref: 00405FB6
EnumWindows.USER32(Function_00005D79,00000000), ref: 00405FC1
Sleep.KERNEL32(000000C8), ref: 00405FCC

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Delete$CountSleepTickWindow$CloseCreateCriticalDesktopEnterEnumRectSectionValueWindowslstrlen
String ID:
API String ID: 281037392-0
Opcode ID: e9a861f1c01a10f7759c420cdd16f1389e7c25a702535cb354152567e22b7995
Instruction ID: c11db00c360bf4b784d5b7d7eeec3b580e66b8c7e3f3393114e085b604093c77
Opcode Fuzzy Hash: e9a861f1c01a10f7759c420cdd16f1389e7c25a702535cb354152567e22b7995
Instruction Fuzzy Hash: AFF02720285A0A9BD52077A18D86F7F3614DB14B04F60003BB944B72C1AEBC5815C9BF

Function 0040286C Relevance: 4.6, APIs: 3, Instructions: 54networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000001,?,00000000,00000000,0000000A), ref: 004028AA
__WSAFDIsSet.WS2_32(00000000,?), ref: 004028B8
recv.WS2_32(00000000,?,00000001,00000000), ref: 004028C8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 2bf16eb18f15f9793efcb658b2bf93130dfb73b698c7f8967fffbbe24132bffb
Instruction ID: 6264d5f5ecc1a434d16aa4f42c559176d7df99e7aa0d17d9064e4bdaab47e883
Opcode Fuzzy Hash: 2bf16eb18f15f9793efcb658b2bf93130dfb73b698c7f8967fffbbe24132bffb
Instruction Fuzzy Hash: 0F118E7690021CAFCB11DF95CC848DEB7BCEB4A310F0085AAE915E3240C2B49A858FA1

Function 00416896 Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168B8
GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168DA
inet_addr.WS2_32(000001D8), ref: 004168ED

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Part of subcall function 00410BF4: Sleep.KERNEL32(0000012C,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C14
Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C1D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$Process$AdaptersInfo$AllocateFreeSleepinet_addr
String ID:
API String ID: 4155502220-0
Opcode ID: 1de6d21674ae7a9416565cf6b339316a61ed98822fc851f012df3c5cd82ddbf6
Instruction ID: 25d933aa01d65a0ee66b40fe54a4d57a8d5fecb295dff1c60acf8f39e0479c78
Opcode Fuzzy Hash: 1de6d21674ae7a9416565cf6b339316a61ed98822fc851f012df3c5cd82ddbf6
Instruction Fuzzy Hash: 4201DFB2801108AFCB11AFA5D9818EE77ACDA51368721007FF411E7200EF78EEC5DB68

Function 00413DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00413D4D: GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
Part of subcall function 00413D4D: OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
Part of subcall function 00413D4D: GetCurrentThread.KERNEL32 ref: 00413D74
Part of subcall function 00413D4D: OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B

ExitWindowsEx.USER32(00000006,00050005), ref: 00413DED

Strings

SeShutdownPrivilege, xrefs: 00413DDA

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 2133229600-3733053543
Opcode ID: 9e2c5fa738271bbbfc0a842d02a264c6e44e78896af363eb2e0fd65456633e6b
Instruction ID: e799f9225938af673a64b3dc1b55c5478f18b35a7da82f7c160b49fa6cf42411
Opcode Fuzzy Hash: 9e2c5fa738271bbbfc0a842d02a264c6e44e78896af363eb2e0fd65456633e6b
Instruction Fuzzy Hash: E3C09B313C534096F51417727D4FF4E51555B40F63F51401E76015C0D1FDC554D0441A

Function 00427227 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 00427247

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: abcd8f884eb0d790cf972bef3ed77a72991ea88b0fd8d91913a901745e87547a
Instruction ID: 225cd7df6b92b4206f9a7582b4124069e957c177720ba20da0cf16bfbb7ebb29
Opcode Fuzzy Hash: abcd8f884eb0d790cf972bef3ed77a72991ea88b0fd8d91913a901745e87547a
Instruction Fuzzy Hash: C8E09234B08208EBDB10DBE4E845E9D7BB86B04328F5041A6F510D62D1DBB496148769

Function 0041A936 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52332c79a0bd40d1298f6ca88273abcc4f216cf950132b9765b2f45900f3ad78
Instruction ID: c9831931d385c97abc0589d6a228ecc03006a0524d3a27148b4b42d13d7189bd
Opcode Fuzzy Hash: 52332c79a0bd40d1298f6ca88273abcc4f216cf950132b9765b2f45900f3ad78
Instruction Fuzzy Hash: BB42BC76A116058FD748CF69C8D9BA6B3E3BFCC310F5B81FA851A5F265CA706811CE84

Function 0042797B Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928e56e57a48a481a7910e8e9d35efa608cd7d846a12f7b1813392c24604a220
Instruction ID: 66900e7929e749053c19963c9040592c735d9bb8b2ff140ea9de12773cba0c17
Opcode Fuzzy Hash: 928e56e57a48a481a7910e8e9d35efa608cd7d846a12f7b1813392c24604a220
Instruction Fuzzy Hash: E9B18A71A0421ADFCB15CF14D5D0AA9FBA1BF58328F54C1AEC81A5B342C735EE42CB94

Function 0041B477 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bc7e8b0cfd9c55f5ee273a7dcf1ee305efd65beac54158c46530f7c1e2e0eb
Instruction ID: 2afff48053059701403f0287210e808b21a48eb4058a18c5fc092893e25be9ad
Opcode Fuzzy Hash: f5bc7e8b0cfd9c55f5ee273a7dcf1ee305efd65beac54158c46530f7c1e2e0eb
Instruction Fuzzy Hash: 3C31E132A0121AABCB15DF78C4D05EEBBF1EB89344F1481AED891A7341D734AE85CB90

Function 004223D8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f74e058b69127539370dbd1afe9503671c14a940c93cf10dca0284eed57b908
Instruction ID: da98938ff67e46ff6316c43a934677ccc5072715354b31ec43a9b3bc3835347e
Opcode Fuzzy Hash: 0f74e058b69127539370dbd1afe9503671c14a940c93cf10dca0284eed57b908
Instruction Fuzzy Hash: A821F832A00224AFCB14EF69DCC48A7B7A5FF44350B8685AAEC158B245D774F915C7E4

Function 0041B3CF Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97b539cb823fac0f91bee5f44b5077dd938fb3448b6e56497f4f5df416f2e3b
Instruction ID: 1b50a1263328ffa51d38a1827ee6d12af7b26cc890651d4c3244326047c96eec
Opcode Fuzzy Hash: e97b539cb823fac0f91bee5f44b5077dd938fb3448b6e56497f4f5df416f2e3b
Instruction Fuzzy Hash: 71F04F77F2153416F78C947ACC513AB918797C8661F5EC63EAEA9E72C5CCB48C1252C0

Function 0041C853 Relevance: 77.3, APIs: 41, Strings: 3, Instructions: 333windowsleepCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 0041C86F

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

IsWindowVisible.USER32(?), ref: 0041C89C

Part of subcall function 0041435D: GetDesktopWindow.USER32 ref: 0041436A
Part of subcall function 0041435D: GetWindowRect.USER32(00000000), ref: 00414377
Part of subcall function 0041435D: GetWindowRect.USER32(?,?), ref: 00414381
Part of subcall function 0041435D: SetWindowTextA.USER32(?,0042A440), ref: 0041438F
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414401
Part of subcall function 0041435D: SetWindowPos.USER32(?,000000FF,?,00000000,00000000,00000000,00000040), ref: 0041441C
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414425
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 00414432
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 0041443B
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 0041443E
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 00414441
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 00414444
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 00414447
Part of subcall function 0041435D: Sleep.KERNEL32(00000064), ref: 0041444B
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414454

GetDesktopWindow.USER32 ref: 0041C901
GetWindowRect.USER32(00000000), ref: 0041C908
GetWindowRect.USER32(?,?), ref: 0041C90F
SetWindowTextA.USER32(?,0042A440), ref: 0041C917
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 0041C93C
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0041C973
ShowWindow.USER32(?,00000000), ref: 0041C97B
GetTickCount.KERNEL32 ref: 0041C999
SetForegroundWindow.USER32(?), ref: 0041C9AC
SetFocus.USER32(?), ref: 0041C9B9
SetForegroundWindow.USER32(?), ref: 0041C9BC
SetFocus.USER32(?), ref: 0041C9C3
SetForegroundWindow.USER32(?), ref: 0041C9C6
SetFocus.USER32(?), ref: 0041C9CD
Sleep.KERNEL32(00000064), ref: 0041C9D1
PostMessageA.USER32(?,00000100,00000009,00000000), ref: 0041C9EE
PostMessageA.USER32(?,00000100,00000026,00000000), ref: 0041C9F6
PostMessageA.USER32(?,00000100,0000000D,00000000), ref: 0041C9FE
GetWindowRect.USER32(?,?), ref: 0041CA73
Sleep.KERNEL32(000001F4), ref: 0041CA80
SetFocus.USER32(?), ref: 0041CAC7
GetWindowRect.USER32(?,?), ref: 0041CB3C
GetSystemMetrics.USER32(00000005), ref: 0041CB46
GetSystemMetrics.USER32(00000007), ref: 0041CB4F
GetSystemMetrics.USER32(00000008), ref: 0041CB5B

Strings

tSkNotify, xrefs: 0041C957
tSkACLForm., xrefs: 0041C8EC
tSkMainForm., xrefs: 0041C87B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Focus$ForegroundRect$MessagePostShow$MetricsSleepSystem$DesktopTextlstrlen$ClassCountNameTickVisible
String ID: tSkACLForm.$tSkMainForm.$tSkNotify
API String ID: 3615854559-155394806
Opcode ID: 463757892536bf29f106dfa065d9da7bac098429f2f28372f83c722d2c8cfdf3
Instruction ID: 33e34fc2864a5c1f50d125138dd43901c9e19477e55f8c9ec2e9d27e71862bec
Opcode Fuzzy Hash: 463757892536bf29f106dfa065d9da7bac098429f2f28372f83c722d2c8cfdf3
Instruction Fuzzy Hash: 08B1E671940208BFEB11EFA4DC85FEF3B78EF05714F100056F904A6291DB799A91DBA9

Function 0041E526 Relevance: 76.7, APIs: 33, Strings: 18, Instructions: 214sleepCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041E55E

Part of subcall function 0041D048: EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
Part of subcall function 0041D048: lstrlenA.KERNEL32(?), ref: 0041D066
Part of subcall function 0041D048: SendMessageA.USER32(0000004A,00000000), ref: 0041D082
Part of subcall function 0041D048: LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

Sleep.KERNEL32(00000003), ref: 0041E574
wsprintfA.USER32 ref: 0041E580
Sleep.KERNEL32(00000003), ref: 0041E590
wsprintfA.USER32 ref: 0041E59C
Sleep.KERNEL32(00000003), ref: 0041E5AC
wsprintfA.USER32 ref: 0041E5B8
wsprintfA.USER32 ref: 0041E5CD
Sleep.KERNEL32(00000003), ref: 0041E5DD
wsprintfA.USER32 ref: 0041E5E9
Sleep.KERNEL32(00000003), ref: 0041E5F9
wsprintfA.USER32 ref: 0041E605
Sleep.KERNEL32(00000003), ref: 0041E615
wsprintfA.USER32 ref: 0041E621
Sleep.KERNEL32(00000003), ref: 0041E631
wsprintfA.USER32 ref: 0041E63D
Sleep.KERNEL32(00000003), ref: 0041E64D
wsprintfA.USER32 ref: 0041E659
Sleep.KERNEL32(00000003), ref: 0041E669
wsprintfA.USER32 ref: 0041E675
wsprintfA.USER32 ref: 0041E68A
Sleep.KERNEL32(00000003), ref: 0041E69A
wsprintfA.USER32 ref: 0041E6A6
Sleep.KERNEL32(00000003), ref: 0041E6B6
wsprintfA.USER32 ref: 0041E6C2
Sleep.KERNEL32(00000003), ref: 0041E6D2
wsprintfA.USER32 ref: 0041E6DE
Sleep.KERNEL32(00000003), ref: 0041E6EE
wsprintfA.USER32 ref: 0041E6FA
Sleep.KERNEL32(00000003), ref: 0041E70A
wsprintfA.USER32 ref: 0041E716
Sleep.KERNEL32(00000003), ref: 0041E726
wsprintfA.USER32 ref: 0041E732

Strings

GET USER %s BUDDYSTATUS, xrefs: 0041E6BC
GET USER %s PHONE_MOBILE, xrefs: 0041E637
GET USER %s CITY, xrefs: 0041E5E3
GET USER %s PHONE_HOME, xrefs: 0041E5FF
GET USER %s ISBLOCKED, xrefs: 0041E6F4
GET USER %s ONLINESTATUS, xrefs: 0041E710
GET USER %s SEX, xrefs: 0041E596
GET USER %s PHONE_OFFICE, xrefs: 0041E61B
GET USER %s FULLNAME, xrefs: 0041E558
GET USER %s LANGUAGE, xrefs: 0041E5B2
GET USER %s IS_VIDEO_CAPABLE, xrefs: 0041E684
GET USER %s MOOD_TEXT, xrefs: 0041E72C
GET USER %s IS_VOICEMAIL_CAPABLE, xrefs: 0041E6A0
GET USER %s ABOUT, xrefs: 0041E66F
GET USER %s HOMEPAGE, xrefs: 0041E653
GET USER %s COUNTRY, xrefs: 0041E5C7
GET USER %s BIRTHDAY, xrefs: 0041E57A
GET USER %s ISAUTHORIZED, xrefs: 0041E6D5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: wsprintf$Sleep$CriticalSection$EnterLeaveMessageSendlstrlen
String ID: GET USER %s ABOUT$GET USER %s BIRTHDAY$GET USER %s BUDDYSTATUS$GET USER %s CITY$GET USER %s COUNTRY$GET USER %s FULLNAME$GET USER %s HOMEPAGE$GET USER %s ISAUTHORIZED$GET USER %s ISBLOCKED$GET USER %s IS_VIDEO_CAPABLE$GET USER %s IS_VOICEMAIL_CAPABLE$GET USER %s LANGUAGE$GET USER %s MOOD_TEXT$GET USER %s ONLINESTATUS$GET USER %s PHONE_HOME$GET USER %s PHONE_MOBILE$GET USER %s PHONE_OFFICE$GET USER %s SEX
API String ID: 2111711390-3513588607
Opcode ID: 2f15dbdde7687e948eed955ca64e7f3ba777cbf9fa709e115f379ba0845dc2bf
Instruction ID: 5bcbf71a064628ea65807ddb805358d2f360003b4b64f9d624bbe829e34e61e6
Opcode Fuzzy Hash: 2f15dbdde7687e948eed955ca64e7f3ba777cbf9fa709e115f379ba0845dc2bf
Instruction Fuzzy Hash: 9451C9F2D4022C66DF01B6E9DCC5FDE7F6CEB94708F54081BF505E2082EA6DA3158A65

Function 0041E235 Relevance: 73.8, APIs: 25, Strings: 24, Instructions: 251stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000001,FULLNAME,?,00000000,?,0045B918,0041EFAB,0045B91D), ref: 0041E29A

Part of subcall function 0041E1DC: lstrlenA.KERNEL32(0045B918,00000000,0041EFAB,0041E283,0041EFAB,?,00000000,?,0045B918,0041EFAB,0045B91D), ref: 0041E1E7

lstrcmpA.KERNEL32(00000001,BIRTHDAY,?,00000000,?,0045B918,0041EFAB,0045B91D), ref: 0041E2AE
lstrcmpA.KERNEL32(00000001,SEX,?,00000000,?,0045B918,0041EFAB,0045B91D), ref: 0041E2C2
lstrcmpA.KERNEL32(00000001,NROF_AUTHED_BUDDIES,?,00000000,?,0045B918,0041EFAB,0045B91D), ref: 0041E4D5

Strings

SEX, xrefs: 0041E2BC
ONLINESTATUS, xrefs: 0041E43C
OFFLINE, xrefs: 0041E45C
ISBLOCKED, xrefs: 0041E421
BIRTHDAY, xrefs: 0041E2A8
HOMEPAGE, xrefs: 0041E361
UNKNOWN, xrefs: 0041E448
PHONE_OFFICE, xrefs: 0041E339
DND, xrefs: 0041E4A4
ONLINE, xrefs: 0041E46E
CITY, xrefs: 0041E311
PHONE_HOME, xrefs: 0041E325
COUNTRY, xrefs: 0041E2FD
ABOUT, xrefs: 0041E375
LANGUAGE, xrefs: 0041E2E9
AWAY, xrefs: 0041E480
BUDDYSTATUS, xrefs: 0041E3BF
FULLNAME, xrefs: 0041E294
NROF_AUTHED_BUDDIES, xrefs: 0041E4CF
IS_VOICEMAIL_CAPABLE, xrefs: 0041E3A4
IS_VIDEO_CAPABLE, xrefs: 0041E389
MOOD_TEXT, xrefs: 0041E4B6
PHONE_MOBILE, xrefs: 0041E34D
ISAUTHORIZED, xrefs: 0041E406

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmp$lstrlen
String ID: ABOUT$AWAY$BIRTHDAY$BUDDYSTATUS$CITY$COUNTRY$DND$FULLNAME$HOMEPAGE$ISAUTHORIZED$ISBLOCKED$IS_VIDEO_CAPABLE$IS_VOICEMAIL_CAPABLE$LANGUAGE$MOOD_TEXT$NROF_AUTHED_BUDDIES$OFFLINE$ONLINE$ONLINESTATUS$PHONE_HOME$PHONE_MOBILE$PHONE_OFFICE$SEX$UNKNOWN
API String ID: 1796421272-2537570566
Opcode ID: b828d17df0a53081407dfd3d61c0ad278200320d67d3b5275ee632f44770f880
Instruction ID: ae483a099041e121b577d559023c1734151ade630782458bd69102cbe1f60af0
Opcode Fuzzy Hash: b828d17df0a53081407dfd3d61c0ad278200320d67d3b5275ee632f44770f880
Instruction Fuzzy Hash: A661B2797493AAB5E72019331E45BFB1E8C5F21788BA84057FC0592286F76CD4D242FE

Function 00401F9D Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 328stringsleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00401FEE
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 004020C4
lstrcatA.KERNEL32(?,0042A3B0), ref: 004020D2
lstrlenA.KERNEL32(?,00000007), ref: 004020DD
lstrcatA.KERNEL32(?,0042A3B0), ref: 004020FE
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 00402129
lstrcatA.KERNEL32(?,?), ref: 00402136
lstrcatA.KERNEL32(?,.exe), ref: 00402144
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402152
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,?,00000000), ref: 00402176
wsprintfA.USER32 ref: 004021C6
lstrcpyA.KERNEL32(?,?), ref: 004021DD
lstrlenA.KERNEL32(?), ref: 004021E6
lstrcatA.KERNEL32(?,?), ref: 00402207
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 00402215
lstrcatA.KERNEL32(?,0042A3B0), ref: 00402223
lstrcatA.KERNEL32(?,?), ref: 00402230
lstrcatA.KERNEL32(?,.rar), ref: 0040223E
DeleteFileA.KERNEL32(?), ref: 00402247
Sleep.KERNEL32(00001388), ref: 0040225C
Sleep.KERNEL32(00001388), ref: 00402278
Sleep.KERNEL32(00001388), ref: 004022B0
Sleep.KERNEL32(000003E8), ref: 004022D3
Sleep.KERNEL32(000003E8), ref: 0040230D
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402333
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00402350
WriteFile.KERNEL32(00000000,00000000,?,00000000), ref: 0040238D
CloseHandle.KERNEL32(?), ref: 00402396
SetFileAttributesA.KERNEL32(?,00000080), ref: 004023CC
CopyFileA.KERNEL32(?,?,00000001), ref: 004023E2
DeleteFileA.KERNEL32(?), ref: 004023EF
ShellExecuteA.SHELL32(00000000,00000000,00459550,?,?,00000000), ref: 00402420
CloseHandle.KERNEL32(00000000), ref: 00402451

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 00402171
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\, xrefs: 004020A0
tmp, xrefs: 004023F7
.exe, xrefs: 00402138, 004021FF
a "..\%s.rar" * , xrefs: 004021C0
.rar, xrefs: 00402232
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 004020B8, 0040211D, 00402209, 004023FD

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$lstrcat$Sleep$lstrcpy$Attributes$CloseCopyDeleteHandlelstrlen$CreateExecuteShellWritewsprintf
String ID: .exe$.rar$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$a "..\%s.rar" * $tmp
API String ID: 1896541782-2164101580
Opcode ID: a66ae4b6b332cfed5fc7a961c17a4407ea6aa7cc5e1f26f7e44e15efcff0d816
Instruction ID: 3022652ca617998f224523417b6a8ac86932b041dbb7c5d2648501ab9886e0b1
Opcode Fuzzy Hash: a66ae4b6b332cfed5fc7a961c17a4407ea6aa7cc5e1f26f7e44e15efcff0d816
Instruction Fuzzy Hash: 07C1E071940348EBDF21EBE0DD89ADA7B6CAB05304F4044BBE504A7191E6BD5A8DCF29

Function 00416C6D Relevance: 64.9, APIs: 26, Strings: 11, Instructions: 177stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00459868,76AE8A60,00000000,?,00417010,AddPortMapping,?,?), ref: 00416C88
lstrlenA.KERNEL32(?,?,00417010,AddPortMapping,?,?), ref: 00416CC5

Strings

HTTP/1.1HOST: , xrefs: 00416DA2
> </s:Body></s:Envelope>, xrefs: 00416D76
POST , xrefs: 00416D84
", xrefs: 00416E2F
xmlns:u=", xrefs: 00416D25
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:, xrefs: 00416D0B
</u:, xrefs: 00416D5C
Content-Type: text/xml; charset="utf-8"SOAPAction: ", xrefs: 00416DFD
<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" , xrefs: 00416CFD
">, xrefs: 00416D42
Content-Length: , xrefs: 00416DC0

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen
String ID: Content-Length: $Content-Type: text/xml; charset="utf-8"SOAPAction: "$ </u:$ HTTP/1.1HOST: $ xmlns:u="$"$">$<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" $> </s:Body></s:Envelope>$POST $s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:
API String ID: 1659193697-2294304887
Opcode ID: c8d16eee7a0d88e757d38f19f1d704b13cbca22e21eae0bd058f0f21d0ae4159
Instruction ID: 7b3baf382d71d715a22e5296741040421d155ac39f68479bf3baede08e0e3f2e
Opcode Fuzzy Hash: c8d16eee7a0d88e757d38f19f1d704b13cbca22e21eae0bd058f0f21d0ae4159
Instruction Fuzzy Hash: A651FFB6D4023CA6DB21DBA2DD44ECB7BAC9B04254F5005D3B708E3040EA78DB588FA9

Function 0040FB2F Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 415stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EA9F: lstrlenA.KERNEL32(?,?), ref: 0040EB2B

socket.WS2_32(00000002,00000001,00000006), ref: 0040FB65

Part of subcall function 004138BC: inet_addr.WS2_32(?), ref: 004138C0
Part of subcall function 004138BC: gethostbyname.WS2_32(?), ref: 004138CF

htons.WS2_32(00000050), ref: 0040FB83
connect.WS2_32(?,?,00000010), ref: 0040FB96
wsprintfA.USER32 ref: 0040FBD0
lstrlenA.KERNEL32(?,00000000), ref: 0040FBE3
send.WS2_32(?,?,00000000), ref: 0040FBF4
select.WS2_32(?,?,00000000,00000000,?), ref: 0040FC3E
__WSAFDIsSet.WS2_32(?,00000001), ref: 0040FC4E
recv.WS2_32(?,?,00000001,00000000), ref: 0040FC6C
lstrcmpiA.KERNEL32(00000001,jan), ref: 0040FD59
lstrcmpiA.KERNEL32(00000001,feb), ref: 0040FD6E
lstrcmpiA.KERNEL32(00000001,mar), ref: 0040FD83
lstrcmpiA.KERNEL32(00000001,apr), ref: 0040FD98
closesocket.WS2_32(?), ref: 0040FEB9
closesocket.WS2_32(?), ref: 0040FF99

Strings

jan, xrefs: 0040FD50
feb, xrefs: 0040FD68
aug, xrefs: 0040FDDD
jul, xrefs: 0040FDCB
mar, xrefs: 0040FD7D
nov, xrefs: 0040FE13
dec, xrefs: 0040FE25
sep, xrefs: 0040FDEF
oct, xrefs: 0040FE01
may, xrefs: 0040FDA7
date, xrefs: 0040FCBC
jun, xrefs: 0040FDB9
apr, xrefs: 0040FD92

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmpi$closesocketlstrlen$connectgethostbynamehtonsinet_addrrecvselectsendsocketwsprintf
String ID: apr$aug$date$dec$feb$jan$jul$jun$mar$may$nov$oct$sep
API String ID: 4061257364-2825898416
Opcode ID: a18311e5c731aebbf38475baf1635ccf958f722417b5ed2d110cee199ec65c7a
Instruction ID: b440cbbe22d014a8756bf6f11b7a8553ac34d49057fa62a6aabe9826c51b07e3
Opcode Fuzzy Hash: a18311e5c731aebbf38475baf1635ccf958f722417b5ed2d110cee199ec65c7a
Instruction Fuzzy Hash: 95D14B3160435A9ADB315A259C44BBF37A89F16344F68007BFD05F26D3EA7CC84A876E

Function 00407DF4 Relevance: 58.2, APIs: 30, Strings: 3, Instructions: 410stringsleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00007530), ref: 00407E11
Sleep.KERNEL32(000003E8), ref: 00407E3E
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 00407E59
lstrlenA.KERNEL32(?,0000000A), ref: 00407E68
lstrcatA.KERNEL32(?,.exe), ref: 00407E8A
lstrcatA.KERNEL32(?,.exe), ref: 00407EA1
GetTickCount.KERNEL32 ref: 00407EBF
GetLogicalDriveStringsA.KERNEL32(000003FF,?), ref: 00407ED8
GetDriveTypeA.KERNEL32(00000000), ref: 00407EF2
lstrcatA.KERNEL32(?,?), ref: 00407F58
lstrlenA.KERNEL32(?), ref: 00407FB2
lstrcatA.KERNEL32(?,.bat), ref: 00407FED
lstrcatA.KERNEL32(?,.bat), ref: 00408015
lstrcatA.KERNEL32(?,.bat), ref: 0040803D
lstrcpyA.KERNEL32(?,?), ref: 0040804F
lstrcpyA.KERNEL32(?,?), ref: 004080A9
lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,0000001F), ref: 00408121
SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,0000001F), ref: 00408130
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,0000001F), ref: 0040814E
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,0000001F), ref: 0040816C
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,0000001F), ref: 00408187
wsprintfA.USER32 ref: 00408254
lstrlenA.KERNEL32(?,?,00000000), ref: 0040826A
WriteFile.KERNEL32(?,?,00000000), ref: 0040827B
CloseHandle.KERNEL32(?), ref: 00408284

Part of subcall function 00413AAC: GetTickCount.KERNEL32 ref: 00413AB3
Part of subcall function 00413AAC: GetSystemTime.KERNEL32(?), ref: 00413AC4
Part of subcall function 00413AAC: SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413AFD
Part of subcall function 00413AAC: SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413B40
Part of subcall function 00413AAC: SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413B8E
Part of subcall function 00413AAC: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00413BA5

lstrcpyA.KERNEL32(?,?), ref: 0040807C

Part of subcall function 00414D8E: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0040D2A9,00000000), ref: 00414DA4

SetFileAttributesA.KERNEL32(?,00000007), ref: 004082AD
lstrlenA.KERNEL32(00000000), ref: 004082B4
lstrlenA.KERNEL32 ref: 004082F7
Sleep.KERNEL32(000003E8), ref: 0040830C

Strings

.exe, xrefs: 00407E7D, 00407E82, 00407E99
.bat, xrefs: 00407FE0, 00407FE5, 0040800D, 00408035
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 00407E4D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$Timelstrcat$lstrlen$CreateSleepSystemlstrcpy$AttributesCountDriveTick$CloseHandleLogicalStringsTypeWritewsprintf
String ID: .bat$.exe$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\
API String ID: 530435527-4043645035
Opcode ID: 1c9aa11be561838a43ae379175575fc0f3b474eaa967c09e3932d09641773631
Instruction ID: c6ce981036597e7e3b7541c0c98113c6be5eba37bc76b6932f84717924a43464
Opcode Fuzzy Hash: 1c9aa11be561838a43ae379175575fc0f3b474eaa967c09e3932d09641773631
Instruction Fuzzy Hash: 11D1B8B2D0011CAADB25DBA0DC4AFEA77BDAB44314F5404ABF504E2181DA789F858F69

Function 004157A7 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313sleepstringthreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004157B9
Sleep.KERNEL32(00007530), ref: 004157D3
Sleep.KERNEL32(000003E8), ref: 00415816
Sleep.KERNEL32(000003E8), ref: 0041582D
GetCurrentProcess.KERNEL32(00000080), ref: 0041584A
SetPriorityClass.KERNEL32(00000000), ref: 00415851
lstrcpyA.KERNEL32(?,http://), ref: 00415886
lstrlenA.KERNEL32(?,:%d,?), ref: 004158B2
wsprintfA.USER32 ref: 004158BD
lstrcatA.KERNEL32(?,0042A7D8), ref: 004158CF
lstrlenA.KERNEL32(?,00000002), ref: 004158E8
GetWindowRect.USER32(?,?), ref: 0041592F

Part of subcall function 00402F35: lstrcpynA.KERNEL32(?,?,0000001E,?,?,?), ref: 00402FB3
Part of subcall function 00402F35: lstrcpynA.KERNEL32(00000000,?,0000001E,?,?,?), ref: 00402FC3
Part of subcall function 00402F35: lstrcpynA.KERNEL32(?,?,0000001E,?,?,?), ref: 00402FD3
Part of subcall function 00402F35: lstrcpynA.KERNEL32(?,?,0000003E,?,?,?), ref: 00402FE3

Sleep.KERNEL32(0000012C), ref: 00415984
Sleep.KERNEL32(00004E20), ref: 004159B7

Part of subcall function 004152AB: GetDesktopWindow.USER32 ref: 004152B8
Part of subcall function 004152AB: GetWindowRect.USER32(00000000), ref: 004152C5
Part of subcall function 004152AB: GetWindowRect.USER32(?,?), ref: 004152CF
Part of subcall function 004152AB: ShowWindow.USER32(?,00000001), ref: 0041532A
Part of subcall function 004152AB: SetWindowPos.USER32(?,000000FF,?,00000000,00000258,000001F4,00000040), ref: 00415342
Part of subcall function 004152AB: ShowWindow.USER32(?,00000001), ref: 0041534B
Part of subcall function 004152AB: SetForegroundWindow.USER32(?), ref: 00415358
Part of subcall function 004152AB: SetFocus.USER32(?), ref: 00415361
Part of subcall function 004152AB: SetForegroundWindow.USER32(?), ref: 00415364
Part of subcall function 004152AB: SetFocus.USER32(?), ref: 00415367
Part of subcall function 004152AB: SetForegroundWindow.USER32(?), ref: 0041536A
Part of subcall function 004152AB: SetFocus.USER32(?), ref: 0041536D
Part of subcall function 004152AB: Sleep.KERNEL32(00000064), ref: 00415371
Part of subcall function 004152AB: ShowWindow.USER32(?,00000001), ref: 0041537A

Part of subcall function 00415497: Sleep.KERNEL32(00000064), ref: 004154A0
Part of subcall function 00415497: SetFocus.USER32(?), ref: 004154B0
Part of subcall function 00415497: Sleep.KERNEL32(00000064), ref: 004154B8
Part of subcall function 00415497: Sleep.KERNEL32(00000064), ref: 004154C1

Part of subcall function 00415104: lstrlenA.KERNEL32(?), ref: 00415114
Part of subcall function 00415104: lstrlenA.KERNEL32(-00000005), ref: 00415209
Part of subcall function 00415104: lstrlenA.KERNEL32(-00000005), ref: 00415211

Part of subcall function 00415623: lstrlenA.KERNEL32(?), ref: 00415665
Part of subcall function 00415623: lstrlenA.KERNEL32(?), ref: 0041566D
Part of subcall function 00415623: lstrlenA.KERNEL32(?), ref: 004156C9
Part of subcall function 00415623: lstrcatA.KERNEL32(?,0042A440), ref: 004156E0
Part of subcall function 00415623: lstrcatA.KERNEL32(?,?), ref: 004156E7

ShowWindow.USER32(?,00000000), ref: 004159F9
Sleep.KERNEL32(00002710), ref: 00415A04
ShowWindow.USER32(?,00000005), ref: 00415A09
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00415A89
Sleep.KERNEL32(00000190,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00415A95

Part of subcall function 004154D8: SetFocus.USER32(?), ref: 00415516
Part of subcall function 004154D8: Sleep.KERNEL32(00000064), ref: 00415539

ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00415AB1
Sleep.KERNEL32(00000190,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00415AB8

Part of subcall function 00415547: Sleep.KERNEL32(000001F4), ref: 0041556E
Part of subcall function 00415547: lstrcmpA.KERNEL32(00000000,?), ref: 0041559A

ShowWindow.USER32(?,00000000), ref: 00415AD5
Sleep.KERNEL32(00000190), ref: 00415ADC

Part of subcall function 004155B7: SetFocus.USER32(?), ref: 004155FA

ShowWindow.USER32(?,00000000), ref: 00415AF8
ShowWindow.USER32(00000000,00000000), ref: 00415B08
GetWindowThreadProcessId.USER32(00000000,0045985C), ref: 00415B14
GetCurrentProcess.KERNEL32(00000020), ref: 00415B23
SetPriorityClass.KERNEL32(00000000), ref: 00415B2A
Sleep.KERNEL32(00004E20), ref: 00415B35

Strings

:%d, xrefs: 004158A9
http://, xrefs: 0041587D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Sleep$Show$lstrlen$Focus$lstrcpyn$ForegroundProcessRectlstrcat$ClassCurrentPriority$CountDesktopThreadTicklstrcmplstrcpywsprintf
String ID: :%d$http://
API String ID: 1001066556-2872252496
Opcode ID: ba28c1880504dae10be224ee53f31106fed06acb865c1f68055e3351f5758be1
Instruction ID: 1a0f13dbbb03e331f307676340b79c983e3ef856dc49174a57c53eedfa74bf4b
Opcode Fuzzy Hash: ba28c1880504dae10be224ee53f31106fed06acb865c1f68055e3351f5758be1
Instruction Fuzzy Hash: CEA1F972901704FBEB11BB60DD4AFEE376CAF55305F10006AFA04A1192DB7C9A86876E

Function 0040D83E Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 223threadsleepstringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040D849
CreateThread.KERNEL32(00000000,00000000,00415D7A,00000000,00000000,00000000), ref: 0040D871
Sleep.KERNEL32(0001D4C0), ref: 0040D878
CreateThread.KERNEL32(00000000,00000000,Function_00005F6F,00000000,00000000,00000000), ref: 0040D888
CreateThread.KERNEL32(00000000,00000000,Function_0000604A,00000000,00000000,00000000), ref: 0040D8AE
GetTickCount.KERNEL32 ref: 0040D8B0
GetTickCount.KERNEL32 ref: 0040D8BD
Sleep.KERNEL32(000003E8), ref: 0040D8CC
CreateThread.KERNEL32(00000000,00000000,Function_0000D016,00000000,00000000,00000000), ref: 0040D8E9
Sleep.KERNEL32(00007530), ref: 0040D8F7
lstrcatA.KERNEL32(00459550,\WinRAR\rar.exe), ref: 0040D957
CreateThread.KERNEL32(00000000,00000000,Function_00001F9D,00000000,00000000,00000000), ref: 0040D978
CreateThread.KERNEL32(00000000,00000000,0041272F,00000000,00000000,00000000), ref: 0040D98C
CreateThread.KERNEL32(00000000,00000000,Function_00012FDD,00000000,00000000,00000000), ref: 0040D998
CreateThread.KERNEL32(00000000,00000000,Function_000095B5,00000000,00000000,00000000), ref: 0040D9A4
CreateThread.KERNEL32(00000000,00000000,004116A8,00000000,00000000,00000000), ref: 0040D9B0
CreateThread.KERNEL32(00000000,00000000,Function_00006B75,00000000,00000000,00000000), ref: 0040D9BC
CreateThread.KERNEL32(00000000,00000000,Function_000056A7,00000000,00000000,00000000), ref: 0040D9C8
CreateThread.KERNEL32(00000000,00000000,Function_00008CB0,00000000,00000000,00000000), ref: 0040D9E4
CreateThread.KERNEL32(00000000,00000000,Function_000076C6,00000000,00000000,00000000), ref: 0040D9F0
CreateThread.KERNEL32(00000000,00000000,Function_000073CE,00000000,00000000,00000000), ref: 0040D9FC
CreateThread.KERNEL32(00000000,00000000,Function_000085CA,00000000,00000000,00000000), ref: 0040DA08
CreateThread.KERNEL32(00000000,00000000,Function_00007DF4,00000000,00000000,00000000), ref: 0040DA14
CreateThread.KERNEL32(00000000,00000000,00411206,00000000,00000000,00000000), ref: 0040DA20
CreateThread.KERNEL32(00000000,00000000,004157A7,00000000,00000000,00000000), ref: 0040DA2C
CreateThread.KERNEL32(00000000,00000000,0041C19E,00000000,00000000,00000000), ref: 0040DA38
Sleep.KERNEL32(00A4CB80), ref: 0040DA49

Strings

\WinRAR\rar.exe, xrefs: 0040D951

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CreateThread$Sleep$CountTick$lstrcat
String ID: \WinRAR\rar.exe
API String ID: 4190259895-4135181939
Opcode ID: 277c804197aa7d90b52c5cbebdc41bdb7614632443af62fe0fe6e982fd7aa106
Instruction ID: b5e03ec3d1ab7aa72586ffd96dea160173fde5e76d96af4e3afdbc534cda32d7
Opcode Fuzzy Hash: 277c804197aa7d90b52c5cbebdc41bdb7614632443af62fe0fe6e982fd7aa106
Instruction Fuzzy Hash: A6519DE0A4535CBEF22037B26CC6E3B2E0CDA517DD714043BB406710D289BC8C998A7E

Function 0041E79A Relevance: 48.2, APIs: 18, Strings: 14, Instructions: 153stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(0041EF88,PSTN_BALANCE,0045B918,00000000,?,0041EF88,0045B920), ref: 0041E7C8
lstrcmpA.KERNEL32(0041EF88,FULLNAME), ref: 0041E7D8
lstrcpyA.KERNEL32(0045B204,00000001), ref: 0041E7E4
lstrcmpA.KERNEL32(0041EF88,BIRTHDAY), ref: 0041E7F5
lstrcmpA.KERNEL32(0041EF88,SEX), ref: 0041E805

Strings

SEX, xrefs: 0041E7FF
BIRTHDAY, xrefs: 0041E7EF
HOMEPAGE, xrefs: 0041E8DA
PHONE_OFFICE, xrefs: 0041E8AE
IPCOUNTRY, xrefs: 0041E84C
PSTN_BALANCE, xrefs: 0041E7BC
CITY, xrefs: 0041E87F
PHONE_HOME, xrefs: 0041E898
COUNTRY, xrefs: 0041E833
ABOUT, xrefs: 0041E8F3
FULLNAME, xrefs: 0041E7D2
TIMEZONE, xrefs: 0041E92B
MOOD_TEXT, xrefs: 0041E90C
PHONE_MOBILE, xrefs: 0041E8C4

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmp$lstrcpy
String ID: ABOUT$BIRTHDAY$CITY$COUNTRY$FULLNAME$HOMEPAGE$IPCOUNTRY$MOOD_TEXT$PHONE_HOME$PHONE_MOBILE$PHONE_OFFICE$PSTN_BALANCE$SEX$TIMEZONE
API String ID: 3559461494-3954122781
Opcode ID: e8d82be9b08dcb3db5147793183b6bf9498cbd386925007721376df96291441b
Instruction ID: f9edd0e32f96142c206465e46909afe53b361a09739fb7dad9030ebacacff462
Opcode Fuzzy Hash: e8d82be9b08dcb3db5147793183b6bf9498cbd386925007721376df96291441b
Instruction Fuzzy Hash: A0417BB479532AB4E6116222AD82FBF1A5CCB55F99F640027BC00B11C3E78CA98255FF

Function 0041E94D Relevance: 48.1, APIs: 17, Strings: 15, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0041E95A

Part of subcall function 0041D048: EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
Part of subcall function 0041D048: lstrlenA.KERNEL32(?), ref: 0041D066
Part of subcall function 0041D048: SendMessageA.USER32(0000004A,00000000), ref: 0041D082
Part of subcall function 0041D048: LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

Sleep.KERNEL32(0000000A), ref: 0041E969
Sleep.KERNEL32(0000000A), ref: 0041E977
Sleep.KERNEL32(0000000A), ref: 0041E985
Sleep.KERNEL32(0000000A), ref: 0041E993
Sleep.KERNEL32(0000000A), ref: 0041E9A1
Sleep.KERNEL32(0000000A), ref: 0041E9AF
Sleep.KERNEL32(0000000A), ref: 0041E9BD
Sleep.KERNEL32(0000000A), ref: 0041E9CB
Sleep.KERNEL32(0000000A), ref: 0041E9D9
Sleep.KERNEL32(0000000A), ref: 0041E9E7
Sleep.KERNEL32(0000000A), ref: 0041E9F5
Sleep.KERNEL32(0000000A), ref: 0041EA03
Sleep.KERNEL32(0000000A), ref: 0041EA11
Sleep.KERNEL32(0000000A), ref: 0041EA1F
Sleep.KERNEL32(0000000A), ref: 0041EA29
Sleep.KERNEL32(0000000A), ref: 0041EA37

Strings

GET PROFILE PHONE_MOBILE, xrefs: 0041E9E9
GET PROFILE ABOUT, xrefs: 0041EA05
GET PROFILE HOMEPAGE, xrefs: 0041E9F7
GET PROFILE PHONE_OFFICE, xrefs: 0041E9DB
GET PROFILE SEX, xrefs: 0041E995
GET PROFILE PHONE_HOME, xrefs: 0041E9CD
GET CURRENTUSERHANDLE, xrefs: 0041E95C, 0041E961, 0041EA21
GET PROFILE IPCOUNTRY, xrefs: 0041E9B1
GET PROFILE PSTN_BALANCE, xrefs: 0041E96B
GET PROFILE MOOD_TEXT, xrefs: 0041EA13
GET PROFILE FULLNAME, xrefs: 0041E979
GET PROFILE BIRTHDAY, xrefs: 0041E987
GET PROFILE CITY, xrefs: 0041E9BF
GET PROFILE COUNTRY, xrefs: 0041E9A3
GET PROFILE TIMEZONE, xrefs: 0041EA2B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CriticalSection$EnterLeaveMessageSendlstrlen
String ID: GET CURRENTUSERHANDLE$GET PROFILE ABOUT$GET PROFILE BIRTHDAY$GET PROFILE CITY$GET PROFILE COUNTRY$GET PROFILE FULLNAME$GET PROFILE HOMEPAGE$GET PROFILE IPCOUNTRY$GET PROFILE MOOD_TEXT$GET PROFILE PHONE_HOME$GET PROFILE PHONE_MOBILE$GET PROFILE PHONE_OFFICE$GET PROFILE PSTN_BALANCE$GET PROFILE SEX$GET PROFILE TIMEZONE
API String ID: 2946355272-1195147660
Opcode ID: 0e05c6c380154905a828118fb1f3ec784fd830000eda53cf48dd39c78da103a4
Instruction ID: 0586fa8bb1ab81b82726b65ea7d9d3e3f81e2f51b5616a92291bba97b2517846
Opcode Fuzzy Hash: 0e05c6c380154905a828118fb1f3ec784fd830000eda53cf48dd39c78da103a4
Instruction Fuzzy Hash: DE11B792F9152C3950253276BC8BD7F4F2CC9C9B7DBA4041FF504491831F8C29C6A9BA

Function 004085CA Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 280stringsleepregistryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 004085DA
GetWindowsDirectoryA.KERNEL32(00000000,000000E6), ref: 00408634
lstrcpyA.KERNEL32(00000000,00000000), ref: 00408661
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408676
lstrcatA.KERNEL32(00000000,?), ref: 00408683
RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,?,00000000), ref: 004086C9
RegSetValueExA.ADVAPI32(?,00000000,?,?,00000000,00000004,?,00000004), ref: 004086F3
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,?,00000004), ref: 004086FC
Sleep.KERNEL32(000001F4,?,?,00000000,00000004,?,00000004), ref: 00408707
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0040872A
Sleep.KERNEL32(000003E8,?,?,00000000,00000004,?,00000004), ref: 00408735

Part of subcall function 004142EE: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,76AE83C0,76AE8A60), ref: 004142FE

lstrcpyA.KERNEL32(00000000,00000000), ref: 00408778
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408782
lstrcatA.KERNEL32(00000000,?), ref: 0040878F
lstrcpyA.KERNEL32(00000000,00000000), ref: 004087D0
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 004087DA
lstrcatA.KERNEL32(00000000,?), ref: 004087E7
lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 00408826
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408830
lstrcatA.KERNEL32(00000000,?), ref: 0040883D
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408886
lstrcatA.KERNEL32(00000000,?), ref: 00408893

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 004088D2
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 004088DC
lstrcatA.KERNEL32(00000000,?), ref: 004088E9

Part of subcall function 00408324: GetComputerNameA.KERNEL32(?,?), ref: 00408492
Part of subcall function 00408324: lstrcatA.KERNEL32(?,00000001), ref: 004084A6
Part of subcall function 00408324: lstrcatA.KERNEL32(?,?), ref: 004084FE
Part of subcall function 00408324: lstrcatA.KERNEL32(?,0042A3B0), ref: 00408530
Part of subcall function 00408324: lstrcatA.KERNEL32(?,00000001), ref: 0040853A
Part of subcall function 00408324: CopyFileA.KERNEL32(0000007F,?,00000001), ref: 00408553
Part of subcall function 00408324: SetFileAttributesA.KERNEL32(?,00000080), ref: 00408565
Part of subcall function 00408324: Sleep.KERNEL32(00000001), ref: 00408583
Part of subcall function 00408324: SetFileAttributesA.KERNEL32(0000007F,00000080), ref: 00408592
Part of subcall function 00408324: DeleteFileA.KERNEL32(0000007F), ref: 00408595

lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 0040887C

Part of subcall function 00408324: GetUserNameA.ADVAPI32(?,?), ref: 0040838E
Part of subcall function 00408324: wsprintfA.USER32 ref: 004083B8
Part of subcall function 00408324: ShellExecuteA.SHELL32(00000000,00000000,takeown,?,00000000,00000000), ref: 004083CD
Part of subcall function 00408324: Sleep.KERNEL32(000007D0), ref: 004083D8
Part of subcall function 00408324: wsprintfA.USER32 ref: 004083F2
Part of subcall function 00408324: ShellExecuteA.SHELL32(00000000,00000000,icacls,?,00000000,00000000), ref: 00408407
Part of subcall function 00408324: Sleep.KERNEL32(00000BB8), ref: 00408412
Part of subcall function 00408324: lstrlenA.KERNEL32(?), ref: 00408425

Strings

C:\Windows\system32\, xrefs: 0040881A, 00408870, 004088C6

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$Sleeplstrcpy$File$AttributesExecuteShell$CreateNamewsprintf$CloseComputerCopyDeleteDirectorySnapshotToolhelp32UserValueWindowslstrlen
String ID: C:\Windows\system32\
API String ID: 3762291812-1520839452
Opcode ID: 4225e2a9f6c30a0eb4da557927706b4a7f56f109547df7c5c5968730367a42af
Instruction ID: c2cce530174d335f4e65662834358c013a2ccb5602420c717432df29190648c8
Opcode Fuzzy Hash: 4225e2a9f6c30a0eb4da557927706b4a7f56f109547df7c5c5968730367a42af
Instruction Fuzzy Hash: D891F1B291021C6ADB11E7E0DD45FEA77BCEB48714F5404BBF605F2081EA78AB84CB65

Function 0041CCD4 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 233windowsleepthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 0041CCED
GetClassNameA.USER32(?,?,00000032), ref: 0041CD09
GetTickCount.KERNEL32 ref: 0041CD13
SetCursorPos.USER32(00000000,00000000), ref: 0041CD29
IsWindowVisible.USER32(?), ref: 0041CD4D
IsWindowVisible.USER32(?), ref: 0041CD91
ShowWindow.USER32(?,00000000), ref: 0041CD9A
GetTickCount.KERNEL32 ref: 0041CDD8
GetTickCount.KERNEL32 ref: 0041CDFA
SetForegroundWindow.USER32(?), ref: 0041CE21
SetFocus.USER32(?), ref: 0041CE2A
SetForegroundWindow.USER32(00000002), ref: 0041CE2F
SetFocus.USER32(00000002), ref: 0041CE34
SetForegroundWindow.USER32(00000002), ref: 0041CE39
SetFocus.USER32(00000002), ref: 0041CE3E
SetCursorPos.USER32(00000000,00000000), ref: 0041CE44
SetCursorPos.USER32(00000000,00000000,00000000), ref: 0041CE70
SetCursorPos.USER32(00000000,00000000), ref: 0041CE9C
GetWindowRect.USER32(00000002,?), ref: 0041CEAF
SetFocus.USER32(?), ref: 0041CF35
GetCursorPos.USER32(?), ref: 0041CF5A
SetCursorPos.USER32(00000002,?), ref: 0041CF66
Sleep.KERNEL32(00000032), ref: 0041CF70

Part of subcall function 004141AC: SendInput.USER32(00000002,00000000,0000001C), ref: 004141DE

Sleep.KERNEL32(00000032), ref: 0041CF79
SetCursorPos.USER32(?,?), ref: 0041CF81

Strings

TCommunicatorForm., xrefs: 0041CD34
tSkMainForm., xrefs: 0041CD75

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Cursor$Focus$CountForegroundTick$SleepVisible$ClassInputNameProcessRectSendShowThread
String ID: TCommunicatorForm.$tSkMainForm.
API String ID: 2712077931-3065349318
Opcode ID: 017ed899241fdeb08b60c5f34f16ee895284aff57d3c9725eceff3085ae614bf
Instruction ID: 7b726061328220649099ec34847a84877283f267fc68fae1db7158865fd20614
Opcode Fuzzy Hash: 017ed899241fdeb08b60c5f34f16ee895284aff57d3c9725eceff3085ae614bf
Instruction Fuzzy Hash: AA810371940208BBDF219BA0DC85FDF7F79EF04304F404096F905A22A2D7799A96CBA9

Function 0041662B Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 188stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,76AF0440,?,00416BE9,?,?,?), ref: 00416642
lstrlenA.KERNEL32(?,?,00416BE9,?,?), ref: 0041667E
wsprintfA.USER32 ref: 004166A5

Strings

URLBase, xrefs: 00416728
controlURL, xrefs: 0041683F
GET %s HTTP/1.1HOST: %sACCEPT-LANGUAGE: en, xrefs: 0041669F
friendlyName, xrefs: 004166F8
http://%s/, xrefs: 00416750
<serviceType>%s</serviceType>, xrefs: 004167B6
%s%s:%s:%d, xrefs: 004167A7
</service>, xrefs: 0041680B
modelName, xrefs: 00416710

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$wsprintf
String ID: %s%s:%s:%d$</service>$<serviceType>%s</serviceType>$GET %s HTTP/1.1HOST: %sACCEPT-LANGUAGE: en$URLBase$controlURL$friendlyName$http://%s/$modelName
API String ID: 1220175532-320095921
Opcode ID: a14fee9dd5f62a11f8f1d76a127600e44c560fd122f20b70fef70dd4d47d74d4
Instruction ID: 616d92ada8dbdb85c4e2a9650ac82afae0139046dc8987e1b6d74a61cc5f750b
Opcode Fuzzy Hash: a14fee9dd5f62a11f8f1d76a127600e44c560fd122f20b70fef70dd4d47d74d4
Instruction Fuzzy Hash: 266130B6D00118ABDB11EB94DD45EDE77BCAB08304F4144A7AA09E3041EB78DBD9CF69

Function 00405D79 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 183windowthreadsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000002), ref: 00405D85
IsWindowVisible.USER32(?), ref: 00405D93
GetWindowTextA.USER32(?,?,00000080), ref: 00405DAD
GetWindowThreadProcessId.USER32(?,?), ref: 00405DBF
ShowWindow.USER32(?,00000000), ref: 00405DF9
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405E04
SetWindowPos.USER32(?,00000001,00000000,00000001,00000001,00000080), ref: 00405E15
DestroyWindow.USER32(?), ref: 00405E1C
GetClassNameA.USER32(?,?,00000020), ref: 00405E43
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405E67
ShowWindow.USER32(?,00000000), ref: 00405EC6
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405ED1
ShowWindow.USER32(?,00000000), ref: 00405ED5
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405EE0
EnableWindow.USER32(?,00000000), ref: 00405EE4
SetWindowPos.USER32(?,00000001,00000000,00000001,00000001,00000080), ref: 00405EF9
DestroyWindow.USER32(?), ref: 00405F00
ShowWindow.USER32(?,00000000), ref: 00405F59

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

GetWindowThreadProcessId.USER32(?,?), ref: 00405F37
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405F4E
DestroyWindow.USER32(?), ref: 00405F51

Strings

skype, xrefs: 00405F1C
- , xrefs: 00405EB3
twitter, xrefs: 00405DD7, 00405E8D
tooltips_class32, xrefs: 00405E4D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$MessagePost$Show$Destroy$ProcessThreadlstrlen$ClassEnableNameSleepTextVisible
String ID: - $skype$tooltips_class32$twitter
API String ID: 968148897-3706606202
Opcode ID: 3976e576093891d2386c3fc19554f5d567771aff1a74ec8261fc56ca94719168
Instruction ID: 54639c6e0f4210a215bb2e5edd6b10eb1cc48d076ecbf56d7b59a4990fe04e6e
Opcode Fuzzy Hash: 3976e576093891d2386c3fc19554f5d567771aff1a74ec8261fc56ca94719168
Instruction Fuzzy Hash: A151C1B1209705BFE620EF60EC89EAB379CEB05345F50043AF641912D1DB799E468B7E

Function 0041C66F Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 0041C68A

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

IsWindowVisible.USER32(?), ref: 0041C6A8
GetDesktopWindow.USER32 ref: 0041C6D1
GetWindowRect.USER32(00000000), ref: 0041C6DE
GetWindowRect.USER32(?,?), ref: 0041C6E5
SetWindowTextA.USER32(?,0042A440), ref: 0041C6ED
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 0041C712
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0041C758
ShowWindow.USER32(?,00000000), ref: 0041C760

Strings

tSkNotify, xrefs: 0041C73C
tSkACLForm., xrefs: 0041C6BC
tSkMainForm., xrefs: 0041C696

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Rectlstrlen$ClassDesktopMessageNamePostShowTextVisible
String ID: tSkACLForm.$tSkMainForm.$tSkNotify
API String ID: 3986333915-155394806
Opcode ID: d809c220127ab04c6e26cd707719160ad7a6ce2147e81f535c59c85863e19db1
Instruction ID: 4ca3ed5e47817913f35c8832715780e6f4b1c516ac5aeb0efc9290197966c096
Opcode Fuzzy Hash: d809c220127ab04c6e26cd707719160ad7a6ce2147e81f535c59c85863e19db1
Instruction Fuzzy Hash: 0141E4B2A44315BBD730A7B19D89F9B3F6CEB08720F101556FA12E21C2CA78E450CA7D

Function 00402F35 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 329stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,0000001E,?,?,?), ref: 00402FB3

Part of subcall function 00413868: GetTickCount.KERNEL32 ref: 00413883

Part of subcall function 004135C8: lstrlenA.KERNEL32(0040C523,?,?,00000000), ref: 004135F4

lstrcpynA.KERNEL32(00000000,?,0000001E,?,?,?), ref: 00402FC3
lstrcpynA.KERNEL32(?,?,0000001E,?,?,?), ref: 00402FD3
lstrcpynA.KERNEL32(?,?,0000003E,?,?,?), ref: 00402FE3
GetTickCount.KERNEL32 ref: 0040303E
lstrlenA.KERNEL32(?,?,?,?), ref: 00403055
lstrlenA.KERNEL32(?,?,?,?), ref: 0040309C
lstrcpyA.KERNEL32(?,http://,?,?,?), ref: 0040315B
lstrlenA.KERNEL32(?,:%d,00000050,?,?,?), ref: 0040318A
wsprintfA.USER32 ref: 0040318F
lstrlenA.KERNEL32(?,/%s,?,?,?,?), ref: 004031A4
wsprintfA.USER32 ref: 004031A9
lstrlenA.KERNEL32(?,/%s,00000000,?,?,?), ref: 004031BE
wsprintfA.USER32 ref: 004031C3
lstrlenA.KERNEL32(?,/%s,?,?,?,?), ref: 004031D8
wsprintfA.USER32 ref: 004031DD
lstrlenA.KERNEL32(?,?i=%s&l=%s&t=%s,?,?,?,?,?,?), ref: 004031F4
wsprintfA.USER32 ref: 004031F9
lstrlenA.KERNEL32(?), ref: 004031FF

Strings

:%d, xrefs: 00403184
/%s, xrefs: 0040319E, 004031B8, 004031D2
?i=%s&l=%s&t=%s, xrefs: 004031EE
null, xrefs: 00402F50
http://, xrefs: 00403155

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$wsprintf$lstrcpyn$CountTick$lstrcpy
String ID: /%s$:%d$?i=%s&l=%s&t=%s$http://$null
API String ID: 4185424064-1823269905
Opcode ID: aba95a1e2762d2d02715140dc1ca3af52ab43fc2b6df50f2811dc7ee30781597
Instruction ID: 72dd0d13ca70cfdff163accb205508d9fedcb1d1d3dab536917e016eec2f988d
Opcode Fuzzy Hash: aba95a1e2762d2d02715140dc1ca3af52ab43fc2b6df50f2811dc7ee30781597
Instruction Fuzzy Hash: D4A1E572904288AADF11EFA4DC45ADE3F9C9F05318F54443BF914AA2C2D77CDA058B6A

Function 00408324 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 227stringsleepfileCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0040838E

Part of subcall function 00414510: lstrlenA.KERNEL32(0040D67B,00000000,0040D67B,00000000), ref: 00414516

wsprintfA.USER32 ref: 004083B8
ShellExecuteA.SHELL32(00000000,00000000,takeown,?,00000000,00000000), ref: 004083CD
Sleep.KERNEL32(000007D0), ref: 004083D8
wsprintfA.USER32 ref: 004083F2
ShellExecuteA.SHELL32(00000000,00000000,icacls,?,00000000,00000000), ref: 00408407
Sleep.KERNEL32(00000BB8), ref: 00408412
lstrlenA.KERNEL32(?), ref: 00408425
GetComputerNameA.KERNEL32(?,?), ref: 00408492
lstrcatA.KERNEL32(?,00000001), ref: 004084A6
lstrcatA.KERNEL32(?,?), ref: 004084FE
lstrcatA.KERNEL32(?,0042A3B0), ref: 00408530
lstrcatA.KERNEL32(?,00000001), ref: 0040853A
CopyFileA.KERNEL32(0000007F,?,00000001), ref: 00408553
SetFileAttributesA.KERNEL32(?,00000080), ref: 00408565
Sleep.KERNEL32(00000001), ref: 00408583
SetFileAttributesA.KERNEL32(0000007F,00000080), ref: 00408592
DeleteFileA.KERNEL32(0000007F), ref: 00408595
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,0000007F,00000000), ref: 004085A6

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 004085A1
takeown, xrefs: 004083C6
%s /grant %s:D, xrefs: 004083EC
/f %s, xrefs: 004083B2
icacls, xrefs: 00408400

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$lstrcat$Sleep$AttributesCopyExecuteNameShelllstrlenwsprintf$ComputerDeleteUser
String ID: %s /grant %s:D$/f %s$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$icacls$takeown
API String ID: 887666959-343965072
Opcode ID: f0c35e02ed1229f2405299b24346018c684d3f83add17e5ea9127f7430e31fad
Instruction ID: 3939c6074a173fcdfa0f14eb7da2ef2ef8448beaebc060f0d5e405bee58feb71
Opcode Fuzzy Hash: f0c35e02ed1229f2405299b24346018c684d3f83add17e5ea9127f7430e31fad
Instruction Fuzzy Hash: CA71A272944218BFDF109BA4DC49EEE7B7CEF45704F0400AAF949A3191DF389A858F69

Function 0040F0E0 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 288networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB47: lstrcpyA.KERNEL32(00000027,0042A7D4,?,76AE83C0,00000000,00000000,?,?,00500000,?,00000027), ref: 0040EB66
Part of subcall function 0040EB47: lstrlenA.KERNEL32(00000000), ref: 0040EB8A

socket.WS2_32(00000002,00000001,00000006), ref: 0040F16C
htons.WS2_32(?), ref: 0040F18E
connect.WS2_32(?,?,00000010), ref: 0040F1A1
wsprintfA.USER32 ref: 0040F1F7
lstrlenA.KERNEL32(?,00000000), ref: 0040F20A
send.WS2_32(?,?,00000000), ref: 0040F21B
select.WS2_32(?,00000001,00000000,00000000,?), ref: 0040F254
__WSAFDIsSet.WS2_32(?,00000001), ref: 0040F262
recv.WS2_32(?,?,00000001,00000000), ref: 0040F27C

Strings

chunked, xrefs: 0040F3B6
content-length, xrefs: 0040F2EE
transfer-encoding, xrefs: 0040F3A1
0, xrefs: 0040F431

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$connecthtonslstrcpyrecvselectsendsocketwsprintf
String ID: 0$chunked$content-length$transfer-encoding
API String ID: 1838493728-40983872
Opcode ID: 9201bdf8cc6a7f0593ba6ec369a208587268ce31896436264240754d634d7038
Instruction ID: 40cfbdb6b8a0f10b890aa6bab67d98a43da17613289cd9da5c7ab6e3ab63f530
Opcode Fuzzy Hash: 9201bdf8cc6a7f0593ba6ec369a208587268ce31896436264240754d634d7038
Instruction Fuzzy Hash: FEB18A71500208AFEF21DF64DC44BEA77A9FB04704F5040BAF905E6192DB79AA89CF65

Function 0041C4C8 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 0041C4E3

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

IsWindowVisible.USER32(?), ref: 0041C501
GetDesktopWindow.USER32 ref: 0041C52A
GetWindowRect.USER32(00000000), ref: 0041C537
GetWindowRect.USER32(?,?), ref: 0041C53E
SetWindowTextA.USER32(?,0042A440), ref: 0041C546
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 0041C56B
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0041C5AD
ShowWindow.USER32(?,00000000), ref: 0041C5B5

Strings

tSkNotify, xrefs: 0041C595
tSkACLForm., xrefs: 0041C515
tSkMainForm., xrefs: 0041C4EF

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Rectlstrlen$ClassDesktopMessageNamePostShowTextVisible
String ID: tSkACLForm.$tSkMainForm.$tSkNotify
API String ID: 3986333915-155394806
Opcode ID: c14a4ee13b1a314e44961800a36f915c8e729132134e97eb4ac3e4cf8d7f5564
Instruction ID: f1947c54833e8a5c071f9f869f208415e8984487400319f91f78b484a6a3a814
Opcode Fuzzy Hash: c14a4ee13b1a314e44961800a36f915c8e729132134e97eb4ac3e4cf8d7f5564
Instruction Fuzzy Hash: DA41B6B2A44314BBD730ABB59D89F9F3F6CEB08724F541556FA02A21C1CA7CE450CA79

Function 0041DE57 Relevance: 39.1, APIs: 13, Strings: 13, Instructions: 147stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000001,FAILUREREASON,?,?,00000000,0045B918,0041F049,0045B925), ref: 0041DED9
lstrcmpA.KERNEL32(00000001,REMOTELY_CANCELLED,?,00000000,0045B918,0041F049,0045B925), ref: 0041DEE9
lstrcmpA.KERNEL32(00000001,REMOTE_DOES_NOT_SUPPORT_FT,?,00000000,0045B918,0041F049,0045B925), ref: 0041DEFE
lstrcmpA.KERNEL32(00000001,FILEPATH,?,00000000,0045B918,0041F049,0045B925), ref: 0041DFC2

Strings

FAILED, xrefs: 0041DF7A
WAITING_FOR_ACCEPT, xrefs: 0041DF1D
TRANSFERRING, xrefs: 0041DF32
FAILUREREASON, xrefs: 0041DED3
STATUS, xrefs: 0041DF11
FILEPATH, xrefs: 0041DFBC
TRANSFERRING_OVER_RELAY, xrefs: 0041DF44
TYPE, xrefs: 0041DF8C
PARTNER_HANDLE, xrefs: 0041DFA4
REMOTELY_CANCELLED, xrefs: 0041DEDF
CANCELLED, xrefs: 0041DF56
REMOTE_DOES_NOT_SUPPORT_FT, xrefs: 0041DEF8
COMPLETED, xrefs: 0041DF68

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmp
String ID: CANCELLED$COMPLETED$FAILED$FAILUREREASON$FILEPATH$PARTNER_HANDLE$REMOTELY_CANCELLED$REMOTE_DOES_NOT_SUPPORT_FT$STATUS$TRANSFERRING$TRANSFERRING_OVER_RELAY$TYPE$WAITING_FOR_ACCEPT
API String ID: 1534048567-744108491
Opcode ID: ec0cd1e2b90010dfda27b275c556f8175fe93904ff42968a33ce4f6e27d3a9cc
Instruction ID: 72b9af55eec2882945b3e114dfeaaf4924080daac8686bd805d82c4e419bdb68
Opcode Fuzzy Hash: ec0cd1e2b90010dfda27b275c556f8175fe93904ff42968a33ce4f6e27d3a9cc
Instruction Fuzzy Hash: B64108B1B0C756B9E71166316D05F976F8C9F11788F14011BFC16A2283FB9CEA8642BE

Function 0040ED45 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 286networkfilestringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0040EDCD

Part of subcall function 004138BC: inet_addr.WS2_32(?), ref: 004138C0
Part of subcall function 004138BC: gethostbyname.WS2_32(?), ref: 004138CF

htons.WS2_32(00000050), ref: 0040EDEF
connect.WS2_32(?,?,00000010), ref: 0040EE02
wsprintfA.USER32 ref: 0040EE3F
lstrlenA.KERNEL32(?,00000000), ref: 0040EE50
send.WS2_32(?,?,00000000), ref: 0040EE61
select.WS2_32(?,00000001,00000000,00000000,0000012C), ref: 0040EEAC
__WSAFDIsSet.WS2_32(?,00000001), ref: 0040EEBA
recv.WS2_32(?,?,00000001,00000000), ref: 0040EED7
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000,0000012C), ref: 0040EFB3
select.WS2_32(?,?,00000000,00000000,0000012C), ref: 0040F00C
__WSAFDIsSet.WS2_32(?,?), ref: 0040F01A
recv.WS2_32(?,?,0000012C,00000000), ref: 0040F03D
WriteFile.KERNEL32(00000050,?,00000000,?,00000000,?,?,?,?,00000000,00000000,0000012C), ref: 0040F05F
DeleteFileA.KERNEL32(?,?,?,?,?,00000000,00000000,0000012C), ref: 0040F096
closesocket.WS2_32(?), ref: 0040F09F
CloseHandle.KERNEL32(00000050), ref: 0040F0B7
CloseHandle.KERNEL32(00000050,?,?,?,?,00000000,00000000,0000012C), ref: 0040F0CF
closesocket.WS2_32(?), ref: 0040F0D6

Strings

P, xrefs: 0040ED93
content-length, xrefs: 0040EF48

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseHandleclosesocketrecvselect$CreateDeleteWriteconnectgethostbynamehtonsinet_addrlstrlensendsocketwsprintf
String ID: P$content-length
API String ID: 3774398911-3848048151
Opcode ID: ba15c6579de2a9f8b190b4e6ed1e9fdf60cd2fcf7e62dba43eb5082df7cbf481
Instruction ID: df7c141f36d014bdbe9f01baf4845fad3867586616f8a03ca99066f9affce91e
Opcode Fuzzy Hash: ba15c6579de2a9f8b190b4e6ed1e9fdf60cd2fcf7e62dba43eb5082df7cbf481
Instruction Fuzzy Hash: 1FB17F7290021AAFDF219FA1DC49AEE77BCEB04340F5044B7FA04E2191DB749A958FA5

Function 00416912 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 226networkstringsleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000000), ref: 0041693B
WSACreateEvent.WS2_32 ref: 0041697A
WSAEventSelect.WS2_32(?,00000000,00000001), ref: 00416989
wsprintfA.USER32 ref: 004169BA
wsprintfA.USER32 ref: 004169CB
Sleep.KERNEL32(00000000), ref: 004169E9
GetTickCount.KERNEL32 ref: 004169FA
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,000003E8,00000000), ref: 00416A0F
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 00416A39
recv.WS2_32(?,?,000027D8,00000000), ref: 00416A5A
WSAEventSelect.WS2_32(?,?,00000000), ref: 00416A7D
WSACloseEvent.WS2_32(?), ref: 00416A86
closesocket.WS2_32(?), ref: 00416A8F

Part of subcall function 00416896: GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168B8
Part of subcall function 00416896: GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168DA
Part of subcall function 00416896: inet_addr.WS2_32(000001D8), ref: 004168ED

wsprintfA.USER32 ref: 00416AD6
lstrcmpA.KERNEL32(?,LOCATION:,?,?,?,00000009), ref: 00416B5E
lstrlenA.KERNEL32(?), ref: 00416B8A
lstrlenA.KERNEL32(?), ref: 00416B95
lstrcpyA.KERNEL32(?,?), ref: 00416BBF

Strings

%s%s:%s:%d, xrefs: 004169B4, 00416AD0
M-SEARCH * HTTP/1.1HOST: 239.255.255.250:1900MAN: "ssdp:discover"MX: %dST: %s, xrefs: 004169C5
LOCATION:, xrefs: 00416B52

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Event$wsprintf$AdaptersEventsInfoSelectlstrlen$CloseCountCreateEnumMultipleNetworkSleepTickWaitclosesocketinet_addrlstrcmplstrcpyrecvsocket
String ID: %s%s:%s:%d$LOCATION:$M-SEARCH * HTTP/1.1HOST: 239.255.255.250:1900MAN: "ssdp:discover"MX: %dST: %s
API String ID: 2562599888-3500286704
Opcode ID: b77233556a7725e177ed8c5a668ddfbb9ea8689ee60f8ad2de43d20d68d6390f
Instruction ID: 9e51965793058bf11e0cbbee6e673dd6e2c4d97b6ca73878eae949ba9782d4d4
Opcode Fuzzy Hash: b77233556a7725e177ed8c5a668ddfbb9ea8689ee60f8ad2de43d20d68d6390f
Instruction Fuzzy Hash: FC8180B2900218ABDF21DB90DC49EDE7B7DBF45304F4440ABFA08E2151DB789A95CF5A

Function 00410C84 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 232stringfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,?), ref: 00410CB8
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00410CC6
lstrlenA.KERNEL32(?), ref: 00410CDD
lstrlenA.KERNEL32(00000001), ref: 00410D14
lstrcatA.KERNEL32(00000000,00000000), ref: 00410D26
lstrlenA.KERNEL32(00000000), ref: 00410D33
GetTickCount.KERNEL32 ref: 00410D56
lstrlenA.KERNEL32(00000000), ref: 00410DB1
lstrlenA.KERNEL32(00000000), ref: 00410DC8
lstrcpyA.KERNEL32(00000000,.rar), ref: 00410E7E
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00410ED0
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00410EEB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00410EFF
WriteFile.KERNEL32(00000000,00000000,0044F764,00000000,00000000), ref: 00410F1C
CloseHandle.KERNEL32(00000000), ref: 00410F2C

Strings

.pif, xrefs: 00410E63
.scr, xrefs: 00410E71
.exe, xrefs: 00410E5C
.bat, xrefs: 00410E6A
.rar, xrefs: 00410E78

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$File$lstrcatlstrcpy$AttributesCloseCountCreateHandlePointerTickWrite
String ID: .bat$.exe$.pif$.rar$.scr
API String ID: 2853162838-1980087502
Opcode ID: cd2cb76b9ea399bf1adc54bc28882df8a0823b127e6be962eeb4c1f6e0ca547a
Instruction ID: a707fd0e934dd8137797f0eae7484e27a9d6554787a2e330bca94269bf19ba9d
Opcode Fuzzy Hash: cd2cb76b9ea399bf1adc54bc28882df8a0823b127e6be962eeb4c1f6e0ca547a
Instruction Fuzzy Hash: 41811971A40308ABDB20DBA4EC88BEA7BB8AB15310F54446BE904D7291D7FC99C5CF5D

Function 0041EBD9 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 159sleepstringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E95A
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E969
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E977
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E985
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E993
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9A1
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9AF
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9BD
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9CB
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9D9
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9E7
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041E9F5
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041EA03
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041EA11
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041EA1F
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041EA29
Part of subcall function 0041E94D: Sleep.KERNEL32(0000000A), ref: 0041EA37

Sleep.KERNEL32(000001F4), ref: 0041EBF6
Sleep.KERNEL32(000003E8), ref: 0041EC01
Sleep.KERNEL32(00000064), ref: 0041EC1E
Sleep.KERNEL32(0000012C), ref: 0041EC2D
Sleep.KERNEL32(0000012C), ref: 0041EC30
Sleep.KERNEL32(SEARCH CHATS), ref: 0041EC43
GetTickCount.KERNEL32 ref: 0041EC4B
Sleep.KERNEL32(00000032), ref: 0041EC75
Sleep.KERNEL32(00000064), ref: 0041EC91
lstrcmpA.KERNEL32(?,0045B104), ref: 0041ECAE
CreateThread.KERNEL32(00000000,00000000,Function_0001EA3D,?,00000000,00000000), ref: 0041ECC2
Sleep.KERNEL32 ref: 0041ECCE
Sleep.KERNEL32(00000002), ref: 0041ECFE
GetTickCount.KERNEL32 ref: 0041ED0C
GetTickCount.KERNEL32 ref: 0041ED54
GetTickCount.KERNEL32 ref: 0041ED74
GetTickCount.KERNEL32 ref: 0041ED90

Part of subcall function 0041E4EA: wsprintfA.USER32 ref: 0041E511

GetTickCount.KERNEL32 ref: 0041EDAA

Strings

PING, xrefs: 0041EDBD
SEARCH CHATS, xrefs: 0041EC32

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CountTick$CreateThreadlstrcmpwsprintf
String ID: PING$SEARCH CHATS
API String ID: 3488842300-178521329
Opcode ID: ef5673201f1404c1ca3bd53deda4e981a1f0ae3839f705b7223461506a8e86ee
Instruction ID: 916bf970ecb5145056bdac1988b09c6a9c2e19ca1b4da1a1a251816765a4c4ae
Opcode Fuzzy Hash: ef5673201f1404c1ca3bd53deda4e981a1f0ae3839f705b7223461506a8e86ee
Instruction Fuzzy Hash: FB512874904386AAE720AB67EC416EE7B56BF81304F14002FE84443282E7BDECC197DE

Function 00416422 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 177networkstringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,0042A4DC,76AF0440,75D36610,?,004166C4,?,00000000,?,?,?,00416BE9,?,?), ref: 0041643E
lstrlenA.KERNEL32(?,?,004166C4,?,00000000,?,?,?,00416BE9,?,?), ref: 00416447
inet_addr.WS2_32(?), ref: 00416453
htons.WS2_32(?), ref: 00416475
socket.WS2_32(00000002,00000001,00000000), ref: 00416489
connect.WS2_32(00000000,?,00000010), ref: 004164A7
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 004164BA
send.WS2_32(00000000,?,?,00000000), ref: 004164CC
WSACreateEvent.WS2_32 ref: 004164DE
WSAEventSelect.WS2_32(00000000,00000000,00000001), ref: 004164EA
WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,000001F4,00000000,?,00416BE9,?,?), ref: 004164FF
WSAEnumNetworkEvents.WS2_32(00000000,?,?), ref: 00416518
recv.WS2_32(00000000,?,?,00000000), ref: 00416537
WSAEventSelect.WS2_32(00000000,?,00000000), ref: 00416575
WSACloseEvent.WS2_32(?), ref: 0041657E
closesocket.WS2_32(00000000), ref: 00416585
closesocket.WS2_32(00000000), ref: 00416593

Strings

errorCode, xrefs: 004165E9

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Event$EventsSelectclosesocket$CloseCreateEnumMultipleNetworkWaitconnecthtonsinet_addrioctlsocketlstrcpylstrlenrecvsendsocket
String ID: errorCode
API String ID: 2583547606-3920415024
Opcode ID: 5bede5d7b3fcbb416961ea5a444a45f1b407bf5c87ba4673ed87c0861eedf1bb
Instruction ID: 42a50d69ac69a0ee54dd750834b03585f21b0629c20ee4c731e65a41b7016928
Opcode Fuzzy Hash: 5bede5d7b3fcbb416961ea5a444a45f1b407bf5c87ba4673ed87c0861eedf1bb
Instruction Fuzzy Hash: 33518DB2501219AFDF20DFA4EC489EE3BADEF04315F41012AFE15D2161DB38D996CB69

Function 00411AE2 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 163stringtimethreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411B05
lstrcatA.KERNEL32(?,.rar), ref: 00411B35
lstrlenA.KERNEL32(?), ref: 00411B89
lstrcatA.KERNEL32(?,.bat), ref: 00411BD0
wsprintfA.USER32 ref: 00411C2E
GetDateFormatA.KERNEL32(00000409,00000000,00000000,ddd, dd MMM yyyy,?,00000046), ref: 00411C47
GetTimeFormatA.KERNEL32(00000409,00000000,00000000,HH:mm:ss,?,0000001E), ref: 00411C5D
wsprintfA.USER32 ref: 00411CA7
lstrlenA.KERNEL32(?), ref: 00411CB3
closesocket.WS2_32(?), ref: 00411CE6
ExitThread.KERNEL32 ref: 00411CF5

Strings

.pif, xrefs: 00411BC0
.scr, xrefs: 00411BB9
ddd, dd MMM yyyy, xrefs: 00411C38
.exe, xrefs: 00411BB2
application/octet-stream, xrefs: 00411C28
.bat, xrefs: 00411BC7
HH:mm:ss, xrefs: 00411C53
.rar, xrefs: 00411B2C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Formatlstrcatlstrlenwsprintf$CountDateExitThreadTickTimeclosesocket
String ID: .bat$.exe$.pif$.rar$.scr$HH:mm:ss$application/octet-stream$ddd, dd MMM yyyy
API String ID: 3598078581-1427699089
Opcode ID: fd1c5a4e983aee0bd192005bd383998f2e9dc81b205b0303a8ff2a485af2f471
Instruction ID: 9eca82a3637e8faf574de7896f30193d89e1a9b0e212edd64fec5bc27ffb3845
Opcode Fuzzy Hash: fd1c5a4e983aee0bd192005bd383998f2e9dc81b205b0303a8ff2a485af2f471
Instruction Fuzzy Hash: 4151D671604288EFEB21DFA4DC49FDA37ADAB04300F840067FB00931A1E76DA998C799

Function 00413F8E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,?), ref: 00413FA3
OpenProcessToken.ADVAPI32(00000000), ref: 00413FAA
GetLastError.KERNEL32 ref: 00413FB4
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,.exe), ref: 00413FD1
GetLastError.KERNEL32 ref: 00413FD9
GetLastError.KERNEL32 ref: 00413FE0
CloseHandle.KERNEL32(00000000), ref: 004140BE

Strings

.exe, xrefs: 00413FBF

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ErrorLast$ProcessToken$CloseCurrentHandleInformationOpen
String ID: .exe
API String ID: 3182025614-4119554291
Opcode ID: 1de395bec982ee16d1ba774764177e0ec6cf3ca332c2e473e0865e044f3a2139
Instruction ID: a25941590cff0d4bff0b9fb00928191c2ec88986d9cc0e69d77e81c5d1198593
Opcode Fuzzy Hash: 1de395bec982ee16d1ba774764177e0ec6cf3ca332c2e473e0865e044f3a2139
Instruction Fuzzy Hash: 92315071A00218BBDF209FE1DC48FDE7B7CEF08744F540066F605E2160DB7999959B69

Function 00411DF7 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 297stringsleepthreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411E3A
lstrlenA.KERNEL32(00000000), ref: 00411EA6
lstrlenA.KERNEL32(00000000), ref: 00411ED5
lstrlenA.KERNEL32(00000000), ref: 00411F3D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00411FA8
lstrlenA.KERNEL32(00000000), ref: 00411FC5
lstrcpyA.KERNEL32(?,00000000), ref: 00411FE7
lstrcatA.KERNEL32(00000000,0042A8E4), ref: 00412025
lstrcatA.KERNEL32(00000000,0042A8E0), ref: 00412045
lstrcatA.KERNEL32(00000000,0042A4D8), ref: 00412065
lstrcatA.KERNEL32(00000000,0042A8DC), ref: 00412085
lstrlenA.KERNEL32(00000000), ref: 004120A7
CreateThread.KERNEL32(00000000,00000000,00411AE2,?,00000000,00000000), ref: 004120E2
closesocket.WS2_32(00000000), ref: 004120EF
Sleep.KERNEL32(00000005), ref: 004120FC

Strings

Windows NT, xrefs: 00411E7A
p, xrefs: 00412089
e, xrefs: 00412099

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcat$CountCreateSleepThreadTickclosesocketioctlsocketlstrcpy
String ID: Windows NT$e$p
API String ID: 2122314254-1515810721
Opcode ID: 9f5afbe7da503b74f3a21414e0dee05916b6baa10176548eaec83a6ef007bd99
Instruction ID: 758467fef339c16e7423ce7124ac91e20933f26738648504c762f9c6b46ecbdf
Opcode Fuzzy Hash: 9f5afbe7da503b74f3a21414e0dee05916b6baa10176548eaec83a6ef007bd99
Instruction Fuzzy Hash: 3CA14A71908398AEEF21C7F4D9087EF7FA55B06304F54409BD641D62A2C7BD898AC36E

Function 0041DB98 Relevance: 31.7, APIs: 12, Strings: 9, Instructions: 195stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,0045B918,00000000), ref: 0041DBDD
lstrlenA.KERNEL32(00000001), ref: 0041DC07
lstrcmpA.KERNEL32(?,TIMESTAMP), ref: 0041DC34
lstrcmpA.KERNEL32(?,PARTNER_HANDLE), ref: 0041DC53
lstrcmpA.KERNEL32(?,FROM_HANDLE), ref: 0041DC65
lstrcmpA.KERNEL32(?,BODY), ref: 0041DC77
lstrlenA.KERNEL32(-00000005), ref: 0041DCA8
lstrcmpA.KERNEL32(?,STATUS), ref: 0041DD4C
wsprintfA.USER32 ref: 0041DD5E
lstrcmpA.KERNEL32(?,CHATNAME), ref: 0041DD7A
wsprintfA.USER32 ref: 0041DDA6

Part of subcall function 0041D048: EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
Part of subcall function 0041D048: lstrlenA.KERNEL32(?), ref: 0041D066
Part of subcall function 0041D048: SendMessageA.USER32(0000004A,00000000), ref: 0041D082
Part of subcall function 0041D048: LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

Strings

FROM_HANDLE, xrefs: 0041DC5D
CHATNAME, xrefs: 0041DD72
BODY, xrefs: 0041DC6F
TIMESTAMP, xrefs: 0041DC2C
GET CHATMESSAGE %s CHATNAME, xrefs: 0041DD58
GET CHAT %s CHATMESSAGES, xrefs: 0041DDA0
@$$$#, xrefs: 0041DC8F
PARTNER_HANDLE, xrefs: 0041DC4B
STATUS, xrefs: 0041DD44

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmp$lstrlen$CriticalSectionwsprintf$EnterLeaveMessageSend
String ID: @$$$#$BODY$CHATNAME$FROM_HANDLE$GET CHAT %s CHATMESSAGES$GET CHATMESSAGE %s CHATNAME$PARTNER_HANDLE$STATUS$TIMESTAMP
API String ID: 2727930084-3421402773
Opcode ID: 1b047a4dfee4784dd052a87f6609db79e305b1c6ad2939457b7c2989d155f736
Instruction ID: 62f5e45808a0188c20558a68f814bf0c68f6b0cd72be060988d6f4810d27591e
Opcode Fuzzy Hash: 1b047a4dfee4784dd052a87f6609db79e305b1c6ad2939457b7c2989d155f736
Instruction Fuzzy Hash: FD51C7B1D0421AABDF216F75ED41ADB3BA9AF04348F24002BFD1092153EB7DD491CBA9

Function 0041F114 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 122windowstringregistryCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 0041F126
GetCurrentProcessId.KERNEL32 ref: 0041F12E
OpenProcess.KERNEL32(00000040,00000000,00000000), ref: 0041F138
UuidToStringA.RPCRT4(?,?), ref: 0041F160
lstrcpyA.KERNEL32(0045B060,Skype-API-Test-), ref: 0041F170
lstrcatA.KERNEL32(0045B060,?), ref: 0041F17A
RegisterClassA.USER32(?), ref: 0041F1AF
RpcStringFreeA.RPCRT4(?), ref: 0041F1C2
CreateWindowExA.USER32(00040100,0045B060,0042A774,008A0000,80000000,80000000,00000080,00000080,00000000,00000000,00000000), ref: 0041F1EF
CloseHandle.KERNEL32 ref: 0041F205
ShowWindow.USER32(00000000,00000000), ref: 0041F217
UpdateWindow.USER32 ref: 0041F223
TranslateMessage.USER32(?), ref: 0041F24C
DispatchMessageA.USER32(?), ref: 0041F256
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041F263
PostQuitMessage.USER32(00000000), ref: 0041F26F
DestroyWindow.USER32 ref: 0041F27B

Strings

Skype-API-Test-, xrefs: 0041F16A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: MessageWindow$CreateProcessStringUuid$ClassCloseCurrentDestroyDispatchFreeHandleOpenPostQuitRegisterShowTranslateUpdatelstrcatlstrcpy
String ID: Skype-API-Test-
API String ID: 2123903928-1726473886
Opcode ID: 97b09e785e71b3f4a5f55a6a2b6226b571743e998e104d3d4376831c1d4f3907
Instruction ID: c071033c080b5f794f024b98cb63a98bfa1b0a9c90cff00eee41faaffcfe273b
Opcode Fuzzy Hash: 97b09e785e71b3f4a5f55a6a2b6226b571743e998e104d3d4376831c1d4f3907
Instruction Fuzzy Hash: 4A4186B1905348EFDB109FA4EC88AEE7F7CFB05351F504076F905E2260D739899A8B69

Function 00406F76 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 138stringfilesleepCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00406F8B
lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\), ref: 00406FF5
lstrcatA.KERNEL32(00000000,?), ref: 00407003
GetTickCount.KERNEL32 ref: 00407009
lstrlenA.KERNEL32(00000000), ref: 0040702C
lstrlenA.KERNEL32(?,?), ref: 0040704D
lstrlenA.KERNEL32(?,00000000), ref: 00407057
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00407082
lstrlenA.KERNEL32(?,?,00000000), ref: 004070A0
WriteFile.KERNEL32(00000000,?,00000000), ref: 004070AB
CloseHandle.KERNEL32(00000000), ref: 004070B2
wsprintfA.USER32 ref: 004070CE
ShellExecuteA.SHELL32(00000000,00000000,00459550,?,00000000,00000000), ref: 004070E7
Sleep.KERNEL32(000003E8), ref: 004070F2
DeleteFileA.KERNEL32(00000000), ref: 004070FF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406FE8
c -y -tk -inul -z"%s" "%s", xrefs: 004070C8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$File$CloseCountCreateDeleteExecuteHandleShellSleepTickWritelstrcatlstrcpywsprintf
String ID: C:\Users\user\AppData\Local\Temp\$c -y -tk -inul -z"%s" "%s"
API String ID: 2375108909-3982193107
Opcode ID: ba2379b44126e0aa66cc29e4233b61f044a645cf7b630842926eaf073d4f1dc3
Instruction ID: 9a316682a3d2def7cf7c719e22a0b18fcbdaeeb4e91003807991d1a23ff78275
Opcode Fuzzy Hash: ba2379b44126e0aa66cc29e4233b61f044a645cf7b630842926eaf073d4f1dc3
Instruction Fuzzy Hash: 7B41EB7290012CBBDB219B64DC48FDA7B6CDF15310F4040B6F609E2181DA749B95CFBA

Function 00416E93 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 112stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416C2F: wsprintfA.USER32 ref: 00416C44

lstrcatA.KERNEL32(?,?,00417108,0042A774,?,TCP,?,00000000,?,?,?,?,?,?,76AF23A0), ref: 00416EDF

Part of subcall function 00416C4E: wsprintfA.USER32 ref: 00416C63

lstrcatA.KERNEL32(?,?), ref: 00416F08
lstrcatA.KERNEL32(?,?), ref: 00416F2F
lstrcatA.KERNEL32(?,?), ref: 00416F58
lstrcatA.KERNEL32(?,?), ref: 00416F7F
lstrcatA.KERNEL32(?,?), ref: 00416FA6
lstrcatA.KERNEL32(?,?), ref: 00416FCF
lstrcatA.KERNEL32(?,?), ref: 00416FF6

Part of subcall function 00416C6D: lstrlenA.KERNEL32(00459868,76AE8A60,00000000,?,00417010,AddPortMapping,?,?), ref: 00416C88

Strings

NewLeaseDuration, xrefs: 00416FDB
NewPortMappingDescription, xrefs: 00416F8B
AddPortMapping, xrefs: 00417006
NewInternalClient, xrefs: 00416F64
NewInternalPort, xrefs: 00416F3D
NewRemoteHost, xrefs: 00416EBE
NewProtocol, xrefs: 00416F14
NewEnabled, xrefs: 00416FB4
NewExternalPort, xrefs: 00416EED

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$wsprintf$lstrlen
String ID: AddPortMapping$NewEnabled$NewExternalPort$NewInternalClient$NewInternalPort$NewLeaseDuration$NewPortMappingDescription$NewProtocol$NewRemoteHost
API String ID: 2282776841-2883451938
Opcode ID: d5dce4e9297c9ae454299d65d50d695627fd475a9dbdb8d640b0a2fc25fc757a
Instruction ID: a75afadfc8a632f89c4ca1dff84ad90e4702995f5f3435f5538cee90814991ea
Opcode Fuzzy Hash: d5dce4e9297c9ae454299d65d50d695627fd475a9dbdb8d640b0a2fc25fc757a
Instruction Fuzzy Hash: 1041AFF6D4012CAADB10DA91DC45FEE776DEB08204F45009BBB09E2044EA789B958FA9

Function 00406D9C Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 154stringfilesleepCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00406DB5
lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\), ref: 00406E1F
lstrcatA.KERNEL32(00000000,?), ref: 00406E2D
GetTickCount.KERNEL32 ref: 00406E33
lstrlenA.KERNEL32(00000000), ref: 00406E56
wsprintfA.USER32 ref: 00406E7B
ShellExecuteA.SHELL32(00000000,00000000,00459550,?,00000000,00000000), ref: 00406E96
Sleep.KERNEL32(00000BB8), ref: 00406EA1
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406ED3
lstrlenA.KERNEL32(?,?), ref: 00406EF5
lstrlenA.KERNEL32(?,00000000), ref: 00406EFF
ReadFile.KERNEL32(?,?,00000100,?,00000000), ref: 00406F25
CloseHandle.KERNEL32(?), ref: 00406F35
DeleteFileA.KERNEL32(00000000), ref: 00406F68

Strings

cw -y -tk -inul "%s" "%s", xrefs: 00406E75
C:\Users\user\AppData\Local\Temp\, xrefs: 00406E12

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$File$CloseCountCreateDeleteExecuteHandleReadShellSleepTicklstrcatlstrcpywsprintf
String ID: C:\Users\user\AppData\Local\Temp\$cw -y -tk -inul "%s" "%s"
API String ID: 3644005355-2241597656
Opcode ID: 6d94c83798d181f0f8b7ed1e0a5c63ca31bdc8eacf9301aeb40c0452defbd603
Instruction ID: 3fb23b9ecfadf165ffe6f97d1382b838028428942ad38c43b7683c9147d43c19
Opcode Fuzzy Hash: 6d94c83798d181f0f8b7ed1e0a5c63ca31bdc8eacf9301aeb40c0452defbd603
Instruction Fuzzy Hash: CE51757290021CBBDF219BA4DC49FDA7BBCAB48314F5004AAF605A2190DB749BD5CB69

Function 0040D2EC Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 149stringsleepCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040D32E
lstrlenA.KERNEL32(00000000), ref: 0040D335

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcatA.KERNEL32(?,.exe), ref: 0040D35D
Sleep.KERNEL32(00000064), ref: 0040D380
lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 0040D3A8
lstrlenA.KERNEL32(00000000), ref: 0040D3AF
lstrcatA.KERNEL32(00000000,.exe), ref: 0040D3CF
Sleep.KERNEL32(00000064), ref: 0040D3F2
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040D41C
lstrlenA.KERNEL32(00000000), ref: 0040D423
lstrcatA.KERNEL32(00000000,.exe), ref: 0040D443
Sleep.KERNEL32(00000064), ref: 0040D466

Part of subcall function 00414787: EnumProcesses.PSAPI(?,00001000,Oa@,?,0040614F,svchost.exe,0040D4DF), ref: 004147BA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040D324, 0040D412
C:\Windows\system32\, xrefs: 0040D39E
.exe, xrefs: 0040D316, 0040D357, 0040D3CD, 0040D441

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$Sleeplstrcatlstrcpy$EnumProcesses
String ID: .exe$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 1133451285-577769959
Opcode ID: 375bf2c603975d94a3423e50868b9aad38ca831c325337d3e10432d8ebd3801c
Instruction ID: 290fad04665f449d94154658a0f51bf0e2d2ddc89ee57f5f2291f851a3c36e9e
Opcode Fuzzy Hash: 375bf2c603975d94a3423e50868b9aad38ca831c325337d3e10432d8ebd3801c
Instruction Fuzzy Hash: 254194715083069BD704DF91D945A9E73E8FF88319F10082FF585A2082DB7CEA5E8B5B

Function 0041F298 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112windowsleepregistryCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(SkypeControlAPIAttach), ref: 0041F2D5
RegisterWindowMessageA.USER32(SkypeControlAPIDiscover), ref: 0041F2E1
GetCurrentProcessId.KERNEL32 ref: 0041F2E8
OpenProcess.KERNEL32(00000040,00000000,00000000), ref: 0041F2F2
CreateThread.KERNEL32(00000000,00000000,Function_0001F114,00000000,00000000,00000000), ref: 0041F31F
Sleep.KERNEL32(0000000A), ref: 0041F32F
SendMessageTimeoutA.USER32(0000FFFF,00000000,00000000,000003E8,00000000), ref: 0041F352
Sleep.KERNEL32(00000000), ref: 0041F39C

Part of subcall function 0040C674: CloseHandle.KERNEL32(0041F3FB,00000000), ref: 0040C67A
Part of subcall function 0040C674: ShellExecuteA.SHELL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\takyouhoymc.exe,00000001,00000000,00000001), ref: 0040C691
Part of subcall function 0040C674: ExitProcess.KERNEL32 ref: 0040C699

Sleep.KERNEL32(0000000A), ref: 0041F364

Part of subcall function 004141E6: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004141F4
Part of subcall function 004141E6: Process32First.KERNEL32(00000000,?), ref: 00414213
Part of subcall function 004141E6: CloseHandle.KERNEL32(00000000), ref: 00414239

UnregisterClassA.USER32(0045B060), ref: 0041F3B1
CloseHandle.KERNEL32 ref: 0041F3BD
PostMessageA.USER32(?,00000012,00000000,00000000), ref: 0041F3D7

Strings

SkypeControlAPIDiscover, xrefs: 0041F2D7
SkypeControlAPIAttach, xrefs: 0041F2C1

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Message$CloseHandleProcessSleep$CreateRegisterWindow$ClassCurrentExecuteExitFirstOpenPostProcess32SendShellSnapshotThreadTimeoutToolhelp32Unregister
String ID: SkypeControlAPIAttach$SkypeControlAPIDiscover
API String ID: 1681019911-3631024799
Opcode ID: 8cfc4253ce46326dfd0062e342127bf3b29458d45f0f1fe5df60b82532e9d8d0
Instruction ID: a09ccf61d67d2fbcfa244340a74f9e618c5262166e174269941f48430cf0e82b
Opcode Fuzzy Hash: 8cfc4253ce46326dfd0062e342127bf3b29458d45f0f1fe5df60b82532e9d8d0
Instruction Fuzzy Hash: 04313971604348AFEB109B60EC85EBB3B6CE705746F50003BF914911E2CB788DDA8B6E

Function 00414C7E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

lstrlenA.KERNEL32(00000001,?,00000000,?,?,00420AA6,00000000,?,?,?,00000000), ref: 00414CB6
lstrlenA.KERNEL32(00000001,?,?,00000000), ref: 00414CC1
lstrcpyA.KERNEL32(00000000,00000001,?,?,00000000), ref: 00414CD5
lstrcpyA.KERNEL32(00000000,00420AA6,?,00000000,?,?,00420AA6,00000000,?,?,?,00000000), ref: 00414CE0
lstrcatA.KERNEL32(00000000,0042A440,?,?,00000000), ref: 00414CF6
lstrcatA.KERNEL32(00000000,00000000,?,?,00000000), ref: 00414CFA
lstrlenA.KERNEL32(?,?,?,00000000), ref: 00414D07
lstrlenA.KERNEL32(00000001,?,?,00000000), ref: 00414D33
lstrlenA.KERNEL32(00000001,?,?,00000000), ref: 00414D3A
lstrcpyA.KERNEL32(00000000,00000001,?,?,00000000), ref: 00414D50
lstrcpyA.KERNEL32(00000000,0042A440,?,?,00000000), ref: 00414D5C
lstrcatA.KERNEL32(00000000,00000000,?,?,00000000), ref: 00414D60

Strings

http:, xrefs: 00414C81, 00414C86, 00414D11, 00414D6D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcpy$lstrcat
String ID: http:
API String ID: 2983632679-838245522
Opcode ID: f8fad10a29d5aa8471607020a499bbd3ab8de9879c4ae17ea2c307c24eef908b
Instruction ID: 62fda144c49cf864dcc9d1f0225b2e0548f9b96ed26caa5c6ccefc40432326bd
Opcode Fuzzy Hash: f8fad10a29d5aa8471607020a499bbd3ab8de9879c4ae17ea2c307c24eef908b
Instruction Fuzzy Hash: 1031F5712042466BDB212BA5BC48BBB3B9C9F85714B64002BFD4182342EB5C9CD386BE

Function 00428152 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0042C208,?,?,00000000,0042C278,00000008,00424DB3), ref: 0042816A
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00428186
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00428197
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004281A4
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 004281BA
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004281CB

Strings

, xrefs: 00428207
GetUserObjectInformationA, xrefs: 004281B4
GetLastActivePopup, xrefs: 00428199
GetProcessWindowStation, xrefs: 004281C5
GetActiveWindow, xrefs: 00428191
user32.dll, xrefs: 00428165
MessageBoxA, xrefs: 00428180

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: $GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-752805172
Opcode ID: c2cec2979fd55be9cd4a166be65f200ccb460f2b7fc8e12480f4fc6254f4e7c0
Instruction ID: 72c22d4f7f03d427608bec40e611ae1e70230dce0bfe9de60929506030e41661
Opcode Fuzzy Hash: c2cec2979fd55be9cd4a166be65f200ccb460f2b7fc8e12480f4fc6254f4e7c0
Instruction Fuzzy Hash: F4219830B01765EAD7209FA4BC84B6F7AA89B45B41F90007FE500D6192EEB8D9119B7E

Function 0041435D Relevance: 22.6, APIs: 15, Instructions: 102windowsleepCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0041436A
GetWindowRect.USER32(00000000), ref: 00414377
GetWindowRect.USER32(?,?), ref: 00414381
SetWindowTextA.USER32(?,0042A440), ref: 0041438F
ShowWindow.USER32(?,00000001), ref: 00414401
SetWindowPos.USER32(?,000000FF,?,00000000,00000000,00000000,00000040), ref: 0041441C
ShowWindow.USER32(?,00000001), ref: 00414425
SetForegroundWindow.USER32(?), ref: 00414432
SetFocus.USER32(?), ref: 0041443B
SetForegroundWindow.USER32(?), ref: 0041443E
SetFocus.USER32(?), ref: 00414441
SetForegroundWindow.USER32(?), ref: 00414444
SetFocus.USER32(?), ref: 00414447
Sleep.KERNEL32(00000064), ref: 0041444B
ShowWindow.USER32(?,00000001), ref: 00414454

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$FocusForegroundShow$Rect$DesktopSleepText
String ID:
API String ID: 2116996943-0
Opcode ID: 3346a8a576393b1a41f4106fb54133c9e2efe7628d2e634b27ad40588b9fa2c6
Instruction ID: e68347bb96c8cbac91d85143463683f394961395708a3bbfd9651ea0f6597c63
Opcode Fuzzy Hash: 3346a8a576393b1a41f4106fb54133c9e2efe7628d2e634b27ad40588b9fa2c6
Instruction Fuzzy Hash: A1317271E0021DAFCB10DBB9CD88EDF7B79EB88310F144655F911A3254CA78A981CB65

Function 0041040C Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 226stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C

Part of subcall function 00410335: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,76AE83C0,00000000), ref: 00410393
Part of subcall function 00410335: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004103A9
Part of subcall function 00410335: CloseHandle.KERNEL32(?), ref: 004103B2

lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
lstrcatA.KERNEL32(?,?), ref: 004104CD
lstrcatA.KERNEL32(?,?), ref: 00410528
lstrcatA.KERNEL32(?,?), ref: 00410583
GetWindowsDirectoryA.KERNEL32(?,000000F0), ref: 004105CC
lstrcatA.KERNEL32(?,0042A3B0), ref: 004105DE
lstrcatA.KERNEL32(?,?), ref: 004105EE
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 00410637
lstrcatA.KERNEL32(?,?), ref: 0041064B

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0041062B
C:\Windows\system32\, xrefs: 004104AB

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$lstrcpy$FileHeap$CloseCreateDirectoryFreeHandleProcessReadWindows
String ID: C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 3549376159-2518840955
Opcode ID: 6c34f9ac3773b0f6fb853ef0e1c898980aa2d83685e3e02c54b299e16f4abbe1
Instruction ID: d72b5c0f04a7a801b5860cc1153d31a7b218ed3e87dac02d78eebbef0ee0db9c
Opcode Fuzzy Hash: 6c34f9ac3773b0f6fb853ef0e1c898980aa2d83685e3e02c54b299e16f4abbe1
Instruction Fuzzy Hash: EC81E7B2D0021DABDF14DFA4CD859DEB7BCEB08304F1005A6E615E7241EB74AB858FA5

Function 004106F5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004107DA
lstrcatA.KERNEL32(?,00000000), ref: 0041081D
lstrcatA.KERNEL32(?,00000000), ref: 0041084C
GetWindowsDirectoryA.KERNEL32(?,000000F0), ref: 0041086B
lstrcatA.KERNEL32(?,0042A3B0), ref: 0041087D
lstrcatA.KERNEL32(?,00000000), ref: 0041088D
lstrcatA.KERNEL32(?,00000000), ref: 004107EE

Part of subcall function 0041068A: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,76AE8A60,?,?,?,004108D0,?,00000000,?), ref: 004106A5
Part of subcall function 0041068A: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?,004108D0,?,00000000,?), ref: 004106B6
Part of subcall function 0041068A: WriteFile.KERNEL32(00000000,?,004108D0,?,00000000,?,?,004108D0,?,00000000,?), ref: 004106D1
Part of subcall function 0041068A: CloseHandle.KERNEL32(00000000,?,?,004108D0,?,00000000,?), ref: 004106D8
Part of subcall function 0041068A: SetFileAttributesA.KERNEL32(00000000,00000002,?,?,004108D0,?,00000000,?), ref: 004106E3

Part of subcall function 004140CA: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
Part of subcall function 004140CA: SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
Part of subcall function 004140CA: SHGetMalloc.SHELL32(?), ref: 004140F2
Part of subcall function 004140CA: lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 004108AC
lstrcatA.KERNEL32(?,00000000), ref: 004108C0
lstrcpyA.KERNEL32(?,00000000), ref: 004108E1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004108A0
C:\Windows\system32\, xrefs: 004107CE

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$File$lstrcpy$AttributesHeap$AllocateCloseCountCreateDirectoryFolderFromHandleListLocationMallocPathProcessSpecialTickWindowsWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 840702394-2518840955
Opcode ID: 80a8e641399b6508dbf0078e983671f31f21b11afed267225c4bfad0ba8e470b
Instruction ID: e59ea0402cc0a97aad8de641f098a8acb5b0e4b41f94063a684b31080ab07657
Opcode Fuzzy Hash: 80a8e641399b6508dbf0078e983671f31f21b11afed267225c4bfad0ba8e470b
Instruction Fuzzy Hash: 885133B2C4021CBADB20EBA1DC89FDF777CAB55314F0445A7B505E2041EAB497D48FA5

Function 0040E8AC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149stringsleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001770,00000000,?,00000000,000003E8,?,00404494,?,?,00000000,00000000,?,?,?,00000000,00000002), ref: 0040E8C5
lstrcpyA.KERNEL32(00000000,http://,?,?,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0040E8F7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E901
lstrcpyA.KERNEL32(00000000,00000000,?,?,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0040E90D
GetTickCount.KERNEL32 ref: 0040E94C
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E964
lstrcpyA.KERNEL32(00000400,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E979
htons.WS2_32(00000000), ref: 0040E9B1
CreateThread.KERNEL32(00000000,00000000,0040E690,00000000,00000000,?), ref: 0040EA64
CreateThread.KERNEL32(00000000,00000000,0040DDC2,00000000,00000000,?), ref: 0040EA7E
Sleep.KERNEL32(00000032), ref: 0040EA89

Strings

http://, xrefs: 0040E8DE, 0040E8E3, 0040E8F5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcpy$CreateSleepThread$CountTickhtonslstrcatlstrlen
String ID: http://
API String ID: 3177099081-1121587658
Opcode ID: d093209fb2e0adf6becd6f0071fc5a182011687f8f701b80cf4c033edade39ce
Instruction ID: ce0d3c27ecb2eeb20cac135d9def360aaa073816567bcac841eaba6cd55d9888
Opcode Fuzzy Hash: d093209fb2e0adf6becd6f0071fc5a182011687f8f701b80cf4c033edade39ce
Instruction Fuzzy Hash: 5151D4B0604744EFC7219F35C845AD77BA8BF05314F00083EF96E96292D738A925CB6D

Function 00414787 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413D4D: GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
Part of subcall function 00413D4D: OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
Part of subcall function 00413D4D: GetCurrentThread.KERNEL32 ref: 00413D74
Part of subcall function 00413D4D: OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B

EnumProcesses.PSAPI(?,00001000,Oa@,?,0040614F,svchost.exe,0040D4DF), ref: 004147BA
lstrcpyA.KERNEL32(?,unknown,776AC310,76AF0F00,?,0040614F,svchost.exe,0040D4DF), ref: 004147EB
OpenProcess.KERNEL32(00000411,00000000,?,?,0040614F,svchost.exe,0040D4DF), ref: 004147FA
EnumProcessModules.PSAPI(00000000,?,00000004,Oa@,?,0040614F,svchost.exe,0040D4DF), ref: 00414811
GetModuleBaseNameA.PSAPI(00000000,?,?,00000104,?,0040614F,svchost.exe,0040D4DF), ref: 0041482B
lstrcmpiA.KERNEL32(?,?), ref: 0041483B
TerminateProcess.KERNEL32(00000000,00000000,?,0040614F,svchost.exe,0040D4DF), ref: 00414847
CloseHandle.KERNEL32(00000000,?,0040614F,svchost.exe,0040D4DF), ref: 00414856
EnumWindows.USER32(00405FD0,?), ref: 00414869

Strings

unknown, xrefs: 004147DF
SeDebugPrivilege, xrefs: 00414796
Oa@, xrefs: 004147AA, 004147C8, 00414806, 004147AD, 00414809

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Process$EnumOpen$CurrentThreadToken$BaseCloseHandleModuleModulesNameProcessesTerminateWindowslstrcmpilstrcpy
String ID: Oa@$SeDebugPrivilege$unknown
API String ID: 3406098452-2184523643
Opcode ID: ec7a13c7402dd98315d9eac9f825c4482461187d57bd2692ff82ea6a035ee5ef
Instruction ID: 6aacd8d1ff4dbd8605ebb6ac42f1bfe4b727bf0c1f85d46be98a7d10ae3bfef4
Opcode Fuzzy Hash: ec7a13c7402dd98315d9eac9f825c4482461187d57bd2692ff82ea6a035ee5ef
Instruction Fuzzy Hash: EB219431600259BBDB219BA0DC09BEF77BCAF40B05F4000AAFA14E1190DB78DA85CB39

Function 004152AB Relevance: 21.1, APIs: 14, Instructions: 83windowsleepCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004152B8
GetWindowRect.USER32(00000000), ref: 004152C5
GetWindowRect.USER32(?,?), ref: 004152CF
ShowWindow.USER32(?,00000001), ref: 0041532A
SetWindowPos.USER32(?,000000FF,?,00000000,00000258,000001F4,00000040), ref: 00415342
ShowWindow.USER32(?,00000001), ref: 0041534B
SetForegroundWindow.USER32(?), ref: 00415358
SetFocus.USER32(?), ref: 00415361
SetForegroundWindow.USER32(?), ref: 00415364
SetFocus.USER32(?), ref: 00415367
SetForegroundWindow.USER32(?), ref: 0041536A
SetFocus.USER32(?), ref: 0041536D
Sleep.KERNEL32(00000064), ref: 00415371
ShowWindow.USER32(?,00000001), ref: 0041537A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$FocusForegroundShow$Rect$DesktopSleep
String ID:
API String ID: 2688408617-0
Opcode ID: 7a5f6fd0b964fbab2bffc776ebc7f412676fa13c8af691ab0b398f89b03bcf89
Instruction ID: 39c56666d41452987d3b7fe9305ed56471eecf7891ea7fa0ab7c3d1c71a8f08c
Opcode Fuzzy Hash: 7a5f6fd0b964fbab2bffc776ebc7f412676fa13c8af691ab0b398f89b03bcf89
Instruction Fuzzy Hash: 45219472A00319EBCB10EBB5DD88EDE7B7DEB84350F104556E612B3185CB78A581CFA4

Function 00405B34 Relevance: 19.7, APIs: 13, Instructions: 180stringregistryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
GetDesktopWindow.USER32 ref: 00405B68
GetWindowRect.USER32(00000000), ref: 00405B6F

Part of subcall function 00410A33: EnterCriticalSection.KERNEL32(00459674,?,?,00000000,?,?,00405B7A), ref: 00410A40
Part of subcall function 00410A33: LeaveCriticalSection.KERNEL32(00459674,?,?,00000000,?,?,00405B7A), ref: 00410A70

SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,?,00000000), ref: 00405C17
RegDeleteValueA.ADVAPI32(?,00000000), ref: 00405C37
RegCloseKey.ADVAPI32(?), ref: 00405C40
lstrlenA.KERNEL32(?), ref: 00405C70
lstrcmpiA.KERNEL32(00000000,?), ref: 00405CA4
lstrlenA.KERNEL32(?), ref: 00405D02
lstrcmpiA.KERNEL32(00000000,?), ref: 00405D36
LeaveCriticalSection.KERNEL32(0044F7E0), ref: 00405D70

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSection$Delete$EnterLeaveWindowlstrcmpilstrlen$CloseCreateDesktopRectValue
String ID:
API String ID: 3629881134-0
Opcode ID: 8c2247e16eec6ba48e2775c11e4c53cfa32d9f1054ca30fa9e768faa9959b77b
Instruction ID: 2034163c18fc6c54253ab763adb56740a824e02f721f4af71a6baf50f169b6c5
Opcode Fuzzy Hash: 8c2247e16eec6ba48e2775c11e4c53cfa32d9f1054ca30fa9e768faa9959b77b
Instruction Fuzzy Hash: 4651F676904614ABEB20BBA19C0AADB77ACEB10305F50407BF541B6181DB786EC48F2D

Function 0041DFD9 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 118sleepCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041E045

Part of subcall function 0041D048: EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
Part of subcall function 0041D048: lstrlenA.KERNEL32(?), ref: 0041D066
Part of subcall function 0041D048: SendMessageA.USER32(0000004A,00000000), ref: 0041D082
Part of subcall function 0041D048: LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

wsprintfA.USER32 ref: 0041E079
wsprintfA.USER32 ref: 0041E0B1
Sleep.KERNEL32(00000001), ref: 0041E0C5
wsprintfA.USER32 ref: 0041E0D8
wsprintfA.USER32 ref: 0041E0FB
Sleep.KERNEL32(00000001), ref: 0041E113
Sleep.KERNEL32(00000001), ref: 0041E126

Strings

GET MESSAGE %d BODY, xrefs: 0041E0AB
GET CHAT %s TIMESTAMP, xrefs: 0041E03F
GET MESSAGE %d PARTNER_HANDLE, xrefs: 0041E0D2
GET MESSAGE %d TIMESTAMP, xrefs: 0041E0F5
GET CHAT %s CHATMESSAGES, xrefs: 0041E073

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: wsprintf$Sleep$CriticalSection$EnterLeaveMessageSendlstrlen
String ID: GET CHAT %s CHATMESSAGES$GET CHAT %s TIMESTAMP$GET MESSAGE %d BODY$GET MESSAGE %d PARTNER_HANDLE$GET MESSAGE %d TIMESTAMP
API String ID: 2111711390-799739332
Opcode ID: 65ef290f7743c204c3dab036e9bae9a06310898df4735f64461e61f8546b4ab2
Instruction ID: 286149aadfd70b27aca77458672cdbd0162cbc00d1eafd4ae75ea191c458330e
Opcode Fuzzy Hash: 65ef290f7743c204c3dab036e9bae9a06310898df4735f64461e61f8546b4ab2
Instruction Fuzzy Hash: 0741F875E00318ABEF319FA5C844BCB7FA8AF14304F0444AAED5056242D7BD96C9CBA6

Function 00411CFC Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 89stringtimenetworkCOMMON

Download Yara Rule

APIs

GetDateFormatA.KERNEL32(00000409,00000000,00000000,ddd, dd MMM yyyy,?,00000046), ref: 00411D21
GetTimeFormatA.KERNEL32(00000409,00000000,00000000,HH:mm:ss,?,0000001E), ref: 00411D35
wsprintfA.USER32 ref: 00411D7A
lstrlenA.KERNEL32(?,<h1>%s</h1>,?), ref: 00411DC8
wsprintfA.USER32 ref: 00411DD2
lstrlenA.KERNEL32(?,00000000), ref: 00411DDF
send.WS2_32(?,?,00000000), ref: 00411DEC

Strings

<h1>%s</h1>, xrefs: 00411DBC
ddd, dd MMM yyyy, xrefs: 00411D12
You need Microsoft Windows operating system in order to view this page., xrefs: 00411D7C
HH:mm:ss, xrefs: 00411D2D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Formatlstrlenwsprintf$DateTimesend
String ID: You need Microsoft Windows operating system in order to view this page.$<h1>%s</h1>$HH:mm:ss$ddd, dd MMM yyyy
API String ID: 3801612084-1440507290
Opcode ID: 62141dda1aecad969a0ae61eaf8fc5eef7e2a53e9aa8d847ddc7f911dc446f22
Instruction ID: 3175033ef80f5511cd34c8e73323197f1559dbbf78c17265ad78bbdfeb19af6b
Opcode Fuzzy Hash: 62141dda1aecad969a0ae61eaf8fc5eef7e2a53e9aa8d847ddc7f911dc446f22
Instruction Fuzzy Hash: D9210AB2A0011CBBDB21DBD4EC85EEF77BCEB08314F544066FA08E3141E675AA558BA5

Function 00415B59 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66windowsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 00415B66
GetWindowTextA.USER32(?,?,00000080), ref: 00415B7D

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

SetForegroundWindow.USER32(?), ref: 00415BB2
ShowWindow.USER32(?,00000001), ref: 00415BBB
ShowWindow.USER32(?,00000009), ref: 00415BC4
GetClassNameA.USER32(?,?,00000080), ref: 00415BD3
IsWindowVisible.USER32(?), ref: 00415BF1
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00415C02

Strings

Registry Edi, xrefs: 00415B89
tooltips_class32, xrefs: 00415BDF
User Account Control, xrefs: 00415BA0

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Showlstrlen$ClassForegroundMessageNamePostSleepTextVisible
String ID: Registry Edi$User Account Control$tooltips_class32
API String ID: 4180102081-1509812080
Opcode ID: d7f2bc4ca5da4d540acb64fe4ee722e67498b18307d0434090dc870e78a0f9e3
Instruction ID: c93e245c32f7781a02f2af87d642a4a6c60f2c6d5a6879bb70ae2635c1db68f6
Opcode Fuzzy Hash: d7f2bc4ca5da4d540acb64fe4ee722e67498b18307d0434090dc870e78a0f9e3
Instruction Fuzzy Hash: FD110AB6305214BFE721AB60AD0AFDB376CEF09715F10006BF941E11C0DAACA6D1867E

Function 00401B8D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 88sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Sleep.KERNEL32(0000012C), ref: 00401BCE
Sleep.KERNEL32(0000012C), ref: 00401BE0
Sleep.KERNEL32(0000012C), ref: 00401BF2
SetFileAttributesA.KERNEL32(?,00000080), ref: 00401C1F
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00401C36
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00401C4F
CloseHandle.KERNEL32(00000000), ref: 00401C5F

Strings

This program cannot be run in DOS mode, xrefs: 00401C04
M, xrefs: 00401BF4
Z, xrefs: 00401BF9

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileSleep$Heap$AllocateAttributesCloseCreateHandleProcessWrite
String ID: M$This program cannot be run in DOS mode$Z
API String ID: 4125413447-1994174348
Opcode ID: a684f589866e2ba1cbdaeb2e4603d1b4e02b3a4d726e3c360d769efadd1e9600
Instruction ID: 063c169d53d94c2206d9bba7a4140ac5560a49d2057c7dfedb851ee6bbf89c05
Opcode Fuzzy Hash: a684f589866e2ba1cbdaeb2e4603d1b4e02b3a4d726e3c360d769efadd1e9600
Instruction Fuzzy Hash: 632107725402047BEF216FA19C49FEF3F29DF05364F044066FD0465192D67D8961C76A

Function 00420F0A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 00420F24

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

SendMessageA.USER32(?,0000000C,00000000,?), ref: 00420F6A
SetFocus.USER32(?), ref: 00420F71
SendMessageA.USER32(?,00000102,00000062,00000000), ref: 00420F81
SendMessageA.USER32(?,00000102,0000006F,00000000), ref: 00420F8C
SendMessageA.USER32(?,00000102,0000006F,00000000), ref: 00420F97
SendMessageA.USER32(?,00000102,0000006F,00000000), ref: 00420FA2

Strings

RichView, xrefs: 00420F30
ChatRichEdit, xrefs: 00420F47
a, xrefs: 00420F64

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: MessageSend$lstrlen$ClassFocusName
String ID: ChatRichEdit$RichView$a
API String ID: 66543796-1598715665
Opcode ID: 890044fba2cc44263f37aa3dadf0e84e0db21f0fb8ef6964dd6e8cd6dd443eca
Instruction ID: e846d9decd41631cdb4d36d58639d72d19dad4848a72e991b2f40cf8e2b8b0ae
Opcode Fuzzy Hash: 890044fba2cc44263f37aa3dadf0e84e0db21f0fb8ef6964dd6e8cd6dd443eca
Instruction Fuzzy Hash: 8511C6722042187EE721ABA4AC8AFFF7B6CEF45756F00402AF605E1091DFB499818779

Function 004245B1 Relevance: 16.8, APIs: 11, Instructions: 299COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042B908,00000001,00000000,00000000,0042B910,00000038,00424B0D,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004245D8
GetLastError.KERNEL32 ref: 004245EA
MultiByteToWideChar.KERNEL32(?,00000000,00424DA1,?,00000000,00000000,0042B910,00000038,00424B0D,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00424671
MultiByteToWideChar.KERNEL32(?,00000001,00424DA1,?,?,00000000), ref: 004246F2
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0042470C
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 00424747

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 5ebf4d84656ea33a5e16a2db9ec40510f5c82011a8009d03a8aab4f3649bc3b0
Instruction ID: 85a83c01b395e37311d7339dc3e0d672865d23556fff4ce5aea98372a6a78dfe
Opcode Fuzzy Hash: 5ebf4d84656ea33a5e16a2db9ec40510f5c82011a8009d03a8aab4f3649bc3b0
Instruction Fuzzy Hash: 27B1A272A00169EFCF219FA0EC849EF7B75FF48314F94412AF911A2260D7398DA1DB59

Function 0041CC10 Relevance: 16.6, APIs: 11, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0045A330), ref: 0041CC19
GetCurrentProcess.KERNEL32(00000080), ref: 0041CC2A
SetPriorityClass.KERNEL32(00000000), ref: 0041CC33
Sleep.KERNEL32(00000064), ref: 0041CC4D
EnumWindows.USER32(Function_0001C853,00000000), ref: 0041CC70
Sleep.KERNEL32(0000012C), ref: 0041CC84
Sleep.KERNEL32(0000000A), ref: 0041CC8F
Sleep.KERNEL32(000001F4), ref: 0041CCAB
GetCurrentProcess.KERNEL32(00000020), ref: 0041CCC0
SetPriorityClass.KERNEL32(00000000), ref: 0041CCC3
LeaveCriticalSection.KERNEL32(0045A330), ref: 0041CCC6

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$ClassCriticalCurrentPriorityProcessSection$EnterEnumLeaveWindows
String ID:
API String ID: 45525367-0
Opcode ID: 516bb46634a88392868154c87f35b5094bcfaa20d88f085637ad835e6f846c17
Instruction ID: e4b7b534546f974815615e0e0b6c2814501736f38d54780cb1c277d08e171287
Opcode Fuzzy Hash: 516bb46634a88392868154c87f35b5094bcfaa20d88f085637ad835e6f846c17
Instruction Fuzzy Hash: D311A3307843449BE7209B74AC89B977B98E716B05F144023E904C23E1E7A9DC95D7EE

Function 00401C74 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149stringfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 00401CA7
lstrlenA.KERNEL32(?), ref: 00401CB0
lstrcpyA.KERNEL32(?,?), ref: 00401D17

Part of subcall function 0041A7A8: lstrlenA.KERNEL32(0045A2D8,?,0000C328,?,0040178B,00000000,00000028,?,?,00000000,00000101,0000C328,?,00000028), ref: 0041A7C3
Part of subcall function 0041A7A8: lstrlenA.KERNEL32(0045A2D8,00000000,0040178B,00000000,00000028,?,?,00000000,00000101,0000C328,?,00000028), ref: 0041A7DB

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

SetFileAttributesA.KERNEL32(?,00000080), ref: 00401D96
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00401DAF
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401DC8
CloseHandle.KERNEL32(00000000), ref: 00401DCF
lstrcpynA.KERNEL32(004594F3,?,00000041), ref: 00401DE8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00401C9B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$Filelstrlen$Processlstrcpy$AllocateAttributesCloseCreateFreeHandleWritelstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1327079956-787714339
Opcode ID: fa4d107f609d19dea433b514101a5e20dde18fe9b54f179357f6e7efbd4c01fa
Instruction ID: d5914a3fd327b66cc3871d7ac49a2fef2b3f6bd2abb959f0b06e8de4b0a62d0c
Opcode Fuzzy Hash: fa4d107f609d19dea433b514101a5e20dde18fe9b54f179357f6e7efbd4c01fa
Instruction Fuzzy Hash: 1F41B172800158BBCF119BE0DC49EEEBB7DEF44301F0000A6FA04BA191DB795B95DB59

Function 00414F30 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105keyboardsleepCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 00414F69
SendInput.USER32(00000001,?,0000001C), ref: 00414F8F
SendInput.USER32(00000001,?,0000001C), ref: 00414FB5
Sleep.KERNEL32(00000064), ref: 00414FB9
SendInput.USER32(00000001,?,0000001C), ref: 00414FE7
SendInput.USER32(00000001,?,0000001C), ref: 00415011
SendInput.USER32(00000001,?,0000001C), ref: 0041503B

Strings

A, xrefs: 0041500A
C, xrefs: 00415035

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: InputSend$Sleep
String ID: A$C
API String ID: 240672775-2418331497
Opcode ID: 1c0c436739b32cef76487c2bd2e5609d6edc443ef8b6e8deb309a561d9fd4a74
Instruction ID: 4123861c5e773278f22ee70391f25b08959f3197a0c97b594261c59329bae634
Opcode Fuzzy Hash: 1c0c436739b32cef76487c2bd2e5609d6edc443ef8b6e8deb309a561d9fd4a74
Instruction Fuzzy Hash: 3D3101B1D0021CAADB11EBD6DD8AEDFFBBCAF54314F104417F205B6111E27856198B66

Function 00415623 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

lstrcpyA.KERNEL32(00000000,00000000), ref: 00415649
lstrlenA.KERNEL32(?), ref: 00415665
lstrlenA.KERNEL32(?), ref: 0041566D
lstrlenA.KERNEL32(?), ref: 004156B6
lstrlenA.KERNEL32(?), ref: 004156BE
lstrlenA.KERNEL32(?), ref: 004156C9
lstrcatA.KERNEL32(?,0042A440), ref: 004156E0
lstrcatA.KERNEL32(?,?), ref: 004156E7

Strings

http:, xrefs: 00415629, 0041564F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcat$lstrcpy
String ID: http:
API String ID: 2778582283-838245522
Opcode ID: 910bc0edabb0361335896f10289412e27d3a1552bd069adf1f798fb91a7db139
Instruction ID: 1031dfbec989802335f12faaa8e25cbdc552db4a7a4cb713b1da852898bd7ad5
Opcode Fuzzy Hash: 910bc0edabb0361335896f10289412e27d3a1552bd069adf1f798fb91a7db139
Instruction Fuzzy Hash: 4E214931604B41DEEB2556388D087FF7B968FD2314F95406BE04A83362DA6D8CC243EE

Function 0041BC53 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76windowthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 0041BC68
GetClassNameA.USER32(?,?,0000003C), ref: 0041BC86
PostMessageA.USER32(?,00000401,00000000,00000201), ref: 0041BCC8
PostMessageA.USER32(?,00000401,00000000,00000202), ref: 0041BCD2
PostMessageA.USER32(?,00000401,00000000,00000203), ref: 0041BCDE
PostMessageA.USER32(?,00000400,00000000,00000201), ref: 0041BCEA
PostMessageA.USER32(?,00000400,00000000,00000202), ref: 0041BCF5
PostMessageA.USER32(?,00000400,00000000,00000203), ref: 0041BCFC

Part of subcall function 0041435D: GetDesktopWindow.USER32 ref: 0041436A
Part of subcall function 0041435D: GetWindowRect.USER32(00000000), ref: 00414377
Part of subcall function 0041435D: GetWindowRect.USER32(?,?), ref: 00414381
Part of subcall function 0041435D: SetWindowTextA.USER32(?,0042A440), ref: 0041438F
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414401
Part of subcall function 0041435D: SetWindowPos.USER32(?,000000FF,?,00000000,00000000,00000000,00000040), ref: 0041441C
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414425
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 00414432
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 0041443B
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 0041443E
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 00414441
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 00414444
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 00414447
Part of subcall function 0041435D: Sleep.KERNEL32(00000064), ref: 0041444B
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414454

Strings

tskMainForm., xrefs: 0041BC92

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$MessagePost$FocusForegroundShow$Rect$ClassDesktopNameProcessSleepTextThread
String ID: tskMainForm.
API String ID: 97974782-3792992863
Opcode ID: f3728983acd7094c2e4067bc4e95b9245c57164759366f12bb2ebcef9a7df4c4
Instruction ID: 1bc88987940958ee28aaea085f43472e5cd030fed38d6eae93376470fb00cc23
Opcode Fuzzy Hash: f3728983acd7094c2e4067bc4e95b9245c57164759366f12bb2ebcef9a7df4c4
Instruction Fuzzy Hash: 3411A37164030C7BF520A7519CCAF7F7AACEB81B88F40041AFA10A51C1D7DA691586BA

Function 00420E54 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 00420E70
SendMessageA.USER32(?,0000000C,00000000,004639A9), ref: 00420E97
GetWindowTextA.USER32(?,?,00000080), ref: 00420EBF
SetFocus.USER32(?), ref: 00420EDD
PostMessageA.USER32(?,00000100,0000000D,00000000), ref: 00420EF3
PostMessageA.USER32(?,00000101,0000000D,00000000), ref: 00420EFF

Strings

Open, xrefs: 00420ECB
Edit, xrefs: 00420E7C
Button, xrefs: 00420EA5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Message$Post$ClassFocusNameSendTextWindow
String ID: Button$Edit$Open
API String ID: 1042367570-3097292768
Opcode ID: ac45b4f16eb2aefaeb692399b509cc3780b81aec694696ad590f5342b2021abf
Instruction ID: 440e0089395b4cd75e24fc35e43af4c9def935b2bcea93b6c4d50534f2a2fce1
Opcode Fuzzy Hash: ac45b4f16eb2aefaeb692399b509cc3780b81aec694696ad590f5342b2021abf
Instruction Fuzzy Hash: E111EC327443287AEB219760BC46FBB777CEB54710F64006BFA40F51C0DBE9A54146AD

Function 0040DCB7 Relevance: 15.1, APIs: 10, Instructions: 90networksleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0040DCCB
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040DCFD
WSAGetLastError.WS2_32 ref: 0040DD05
Sleep.KERNEL32(00000032), ref: 0040DD17
connect.WS2_32(00000000,00000000,00000010), ref: 0040DD23
select.WS2_32(00000001,00000000,?,?,00000008), ref: 0040DD6A
__WSAFDIsSet.WS2_32(00000000,?), ref: 0040DD84
__WSAFDIsSet.WS2_32(00000000,?), ref: 0040DD96
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0040DDAA
closesocket.WS2_32(00000000), ref: 0040DDB5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ioctlsocket$ErrorLastSleepclosesocketconnectselectsocket
String ID:
API String ID: 3016611618-0
Opcode ID: a94e73af70105644cc51a5b1a60949092c05d3ef8cfe4912ca4a05a6af3f6b7b
Instruction ID: f4301eb2fe830097385759cdc77246e76bd1525ce38ffd049ed5210f823006c9
Opcode Fuzzy Hash: a94e73af70105644cc51a5b1a60949092c05d3ef8cfe4912ca4a05a6af3f6b7b
Instruction Fuzzy Hash: 6F317E71D01218EBDB21DBA4CC48BEE76BCAF04315F1041BAF515F21C1DB788A498BA9

Function 00408DF6 Relevance: 15.1, APIs: 10, Instructions: 90networksleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00408E0A
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00408E3B
WSAGetLastError.WS2_32 ref: 00408E48
Sleep.KERNEL32(00000032), ref: 00408E5A
connect.WS2_32(00000000,00457890,00000010), ref: 00408E64
select.WS2_32(00000001,00000000,?,?,00000008), ref: 00408EAB
__WSAFDIsSet.WS2_32(00000000,?), ref: 00408EC5
__WSAFDIsSet.WS2_32(00000000,?), ref: 00408ED7
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00408EEF
closesocket.WS2_32(00000000), ref: 00408EFA

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ioctlsocket$ErrorLastSleepclosesocketconnectselectsocket
String ID:
API String ID: 3016611618-0
Opcode ID: fac358dad4d35f7003cf61e88a50e81e1635f8c6fac4a525d582d34b8dab9462
Instruction ID: 095206dfada03d9d992cabdccbc1e7c9fd4fcaa7cc267275af628481ba7455b8
Opcode Fuzzy Hash: fac358dad4d35f7003cf61e88a50e81e1635f8c6fac4a525d582d34b8dab9462
Instruction Fuzzy Hash: FE31AF71901218ABD7219FA0CE48BEE7A7CEB04316F1041BEF155F21C2DF789E458BA9

Function 00414E03 Relevance: 15.1, APIs: 10, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00414E1A
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00414E2D
htons.WS2_32(?), ref: 00414E3C
connect.WS2_32(00000000,00000002,00000010), ref: 00414E53
WSAGetLastError.WS2_32(?,?,00000000), ref: 00414E62
select.WS2_32(00000000,00000000,?,?,?), ref: 00414EA6
__WSAFDIsSet.WS2_32(00000000,?), ref: 00414EB8
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00414ECA
__WSAFDIsSet.WS2_32(00000000,?), ref: 00414EE1
closesocket.WS2_32(00000000), ref: 00414EE7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ioctlsocket$ErrorLastclosesocketconnecthtonsselectsocket
String ID:
API String ID: 2173793709-0
Opcode ID: 7c2a54aeaa611af5f0956abcd23816055dea6c1293f3ca778e40e3a7da28d482
Instruction ID: e0b37a306a2363686957244b9fcd8f3cc0c7b7d42db451f1a47bf8cbf8c9e55f
Opcode Fuzzy Hash: 7c2a54aeaa611af5f0956abcd23816055dea6c1293f3ca778e40e3a7da28d482
Instruction Fuzzy Hash: C1212A75900218ABDB11DFA59C489EFBBBCFF88311F40016AF915E2251DB349E418FA9

Function 0041CF94 Relevance: 15.1, APIs: 10, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00414776: EnumWindows.USER32(Function_0001470D,?), ref: 00414780

EnterCriticalSection.KERNEL32(0045A330), ref: 0041CFA5
GetCurrentProcess.KERNEL32(00000080), ref: 0041CFB6
SetPriorityClass.KERNEL32(00000000), ref: 0041CFBF
Sleep.KERNEL32(0000000A), ref: 0041CFE0
GetTickCount.KERNEL32 ref: 0041CFEC
EnumWindows.USER32(Function_0001CCD4,00000000), ref: 0041D00E
Sleep.KERNEL32(0000000A), ref: 0041D016
GetCurrentProcess.KERNEL32(00000020), ref: 0041D034
SetPriorityClass.KERNEL32(00000000), ref: 0041D037
LeaveCriticalSection.KERNEL32(0045A330), ref: 0041D03A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ClassCriticalCurrentEnumPriorityProcessSectionSleepWindows$CountEnterLeaveTick
String ID:
API String ID: 3252203978-0
Opcode ID: cdccc271a5faede5c3c40e492aa862e350efc3fc6618a7e925b96b859fc216cf
Instruction ID: a5a336119df253f1fffcdf563039a0c9a3a08ae81fb15b9ae4675bd3370d4f64
Opcode Fuzzy Hash: cdccc271a5faede5c3c40e492aa862e350efc3fc6618a7e925b96b859fc216cf
Instruction Fuzzy Hash: CF11C6717403009BD7209F75EC49B973B98E70AB16F144033E900C23E1CB68D896DAAE

Function 00407BDB Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00407BE6
GetTickCount.KERNEL32 ref: 00407BF1
lstrcpyA.KERNEL32(?,.rar), ref: 00407CDD

Strings

.pif, xrefs: 00407CC2
.scr, xrefs: 00407CD0
.exe, xrefs: 00407CBB
.bat, xrefs: 00407CC9
.rar, xrefs: 00407CD7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTicklstrcpylstrlen
String ID: .bat$.exe$.pif$.rar$.scr
API String ID: 974621299-1980087502
Opcode ID: 9386c808ec8e78b7e541b69b17434239a1d2e3c1f17c8a87bc6550394096fa31
Instruction ID: 0833c643f36b4e56fa08517ae73d9ed4a666b7fca15df4142953dd5a3c489212
Opcode Fuzzy Hash: 9386c808ec8e78b7e541b69b17434239a1d2e3c1f17c8a87bc6550394096fa31
Instruction Fuzzy Hash: AD310375A4C240ABFB255714DC0577A7FA0DF46314F68407BE840622D2D2BD7886D75F

Function 0041BEC1 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Skype\Phone,00000000,00020019,?), ref: 0041BEEE
RegQueryValueExA.ADVAPI32(?,SkypePath,00000000,?,?,00000103), ref: 0041BF1B
RegCloseKey.ADVAPI32(?), ref: 0041BF2B
RegOpenKeyExA.ADVAPI32(80000002,Software\Skype\Phone,00000000,00020019,?), ref: 0041BF48

Strings

Software\Skype\Phone, xrefs: 0041BED5, 0041BEDA, 0041BF42
SkypePath, xrefs: 0041BF0C, 0041BF11, 0041BF63

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID: SkypePath$Software\Skype\Phone
API String ID: 3546245721-1117510324
Opcode ID: 367d10a8c13fbdfcf413f15c4e4f4e263d2e2bbd6f5fd1b6ca457838a974c5a3
Instruction ID: fb9f27605ba17053757c1271e333da3dbb66d25b01c5d52620dba162a9001a23
Opcode Fuzzy Hash: 367d10a8c13fbdfcf413f15c4e4f4e263d2e2bbd6f5fd1b6ca457838a974c5a3
Instruction Fuzzy Hash: A0218971A44218BEEB108FA59C88FEFBFBCEB04305F0040AAB905E1151DB758645CBA4

Function 00402936 Relevance: 14.0, APIs: 9, Instructions: 486networkstringCOMMON

Download Yara Rule

APIs

select.WS2_32(?,?,00000000,00000000,?), ref: 00402A96
__WSAFDIsSet.WS2_32(?,?), ref: 00402AA4
recv.WS2_32(?,?,00000001,00000000), ref: 00402AB9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402CA8
select.WS2_32 ref: 00402D0E
__WSAFDIsSet.WS2_32(?,00000001), ref: 00402D1C
recv.WS2_32(?,?,?,00000000), ref: 00402D31
EnterCriticalSection.KERNEL32(0044F7B8), ref: 00402E54
LeaveCriticalSection.KERNEL32(0044F7B8), ref: 00402E8C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSectionrecvselect$EnterLeavelstrlen
String ID:
API String ID: 3838822492-0
Opcode ID: 234b5d2d9ce00fd92bc2467f92b6c101c542df7e0db91ddc04daa3ce2dd0cd8e
Instruction ID: 80c32ccfba796d0bdac9e6fe8b9400a056a3b3623a8915c7911b96f3597059b9
Opcode Fuzzy Hash: 234b5d2d9ce00fd92bc2467f92b6c101c542df7e0db91ddc04daa3ce2dd0cd8e
Instruction Fuzzy Hash: 4E02D771A043889EDF21DF64CD49ADE7BACAF59304F44406BF908A32C1D6B8DA44CF59

Function 00429043 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0042B908,00000001,0042B908,00000001,0042C4D8,00000040,00427184,00000001,?,00000000,00422306,00000000,?,0042413A), ref: 0042906F
GetLastError.KERNEL32(?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 00429081
GetCPInfo.KERNEL32(76AF0F00,00000000,0042C4D8,00000040,00427184,00000001,?,00000000,00422306,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310), ref: 0042912B
MultiByteToWideChar.KERNEL32(76AF0F00,00000009,00000000,?,00000000,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 004291B9
MultiByteToWideChar.KERNEL32(76AF0F00,00000001,00000000,?,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 00429232
MultiByteToWideChar.KERNEL32(76AF0F00,00000009,776AC310,00000000,00000000,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 0042924F
MultiByteToWideChar.KERNEL32(76AF0F00,00000001,776AC310,00000000,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 004292C5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: e32b7b48b83c6e9d5d1115c6ec31c10b8bff38056a486a14eaf21c473df95895
Instruction ID: 508109000cae9e2cdd248d7729261c4b8c559b822e122794a458f7e770b08d33
Opcode Fuzzy Hash: e32b7b48b83c6e9d5d1115c6ec31c10b8bff38056a486a14eaf21c473df95895
Instruction Fuzzy Hash: FAB1AF71B00269EBDF21CF65EC85AAE7BB5EF48710F90001BF814A62A1D7398D61CB59

Function 004162C5 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 80stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,?,?,004165F7,?,errorCode,?), ref: 004162D6

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

lstrlenA.KERNEL32(?,?,?,?,004165F7,?,errorCode,?), ref: 004162E7

Part of subcall function 00410BF4: Sleep.KERNEL32(0000012C,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C14
Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C1D

wsprintfA.USER32 ref: 0041630A
wsprintfA.USER32 ref: 00416317
lstrlenA.KERNEL32(00000000), ref: 00416349
lstrlenA.KERNEL32(00000000,?), ref: 00416351
lstrlenA.KERNEL32(00000000), ref: 00416366

Strings

<%s>, xrefs: 00416301
</%s>, xrefs: 0041630F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$Heap$Processwsprintf$AllocateSleep
String ID: <%s>$</%s>
API String ID: 2639865369-2028509962
Opcode ID: f97cf52c2f8d1641e3b8e33af5b2665e0ed0ad924b576fe30c8323033b759fb3
Instruction ID: ad5f7423dbc30fbe1531db5d01a90acf2b714d9077bcf54b353d88c642b336d6
Opcode Fuzzy Hash: f97cf52c2f8d1641e3b8e33af5b2665e0ed0ad924b576fe30c8323033b759fb3
Instruction Fuzzy Hash: C221A472900208BFDF01AFB9DC46E9E7FADDF44318F15401AF80497251EA79A9508B68

Function 004251DD Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,02160CA8,00000000,00000000), ref: 0042525E
GetStdHandle.KERNEL32(000000F4,0042C1B8,00000000,?,00000000,02160CA8,00000000,00000000), ref: 0042532B
WriteFile.KERNEL32(00000000), ref: 00425332

Strings

<program name unknown>, xrefs: 0042526B
Microsoft Visual C++ Runtime Library, xrefs: 00425300
..., xrefs: 0042529E
Runtime Error!Program: , xrefs: 004252D2

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: c6ab408b8c6cb5835f5466a6022ba0e563ec3acdffe6b7fdbd818136dba7c5f2
Instruction ID: 5b7ad73316f436f963902cd660e5f4e64d758ec9cda9fa0a72d0aeb273aeb6c2
Opcode Fuzzy Hash: c6ab408b8c6cb5835f5466a6022ba0e563ec3acdffe6b7fdbd818136dba7c5f2
Instruction Fuzzy Hash: FD31F732700124BBD720AB75FC86FAE7769EB44314F90092BF911D2182DE7C9955876D

Function 0042844A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004284CB

Strings

<program name unknown>, xrefs: 004284D5
Unknown security failure detected!, xrefs: 00428491
Buffer overrun detected!, xrefs: 004284A7, 0042853F
Program: , xrefs: 00428552
Microsoft Visual C++ Runtime Library, xrefs: 0042857C
..., xrefs: 00428516

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 514040917-1673886896
Opcode ID: 0131ba96e8c4da1cc574e64602ec694c664483fbafeba3d164c4a49e8ddfde52
Instruction ID: 55ad5e87c20d73374b45942f935eeb682e81a4f858f4906db70f1d5b0a44565b
Opcode Fuzzy Hash: 0131ba96e8c4da1cc574e64602ec694c664483fbafeba3d164c4a49e8ddfde52
Instruction Fuzzy Hash: 2731D832B012347BD720BB61BD82F9E37699F04314F90455FF514A6282DEBCDA518B9E

Function 00415104 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 143stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00415114
lstrlenA.KERNEL32(-00000005), ref: 00415209
lstrlenA.KERNEL32(-00000005), ref: 00415211
lstrcpyA.KERNEL32(?,-00000005), ref: 00415220
lstrlenA.KERNEL32(00000000), ref: 00415250
lstrcpyA.KERNEL32(?,00000000), ref: 00415261

Strings

ttp:, xrefs: 00415242
http://, xrefs: 00415194

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: http://$ttp:
API String ID: 805584807-2779018299
Opcode ID: 6c7806ccabbd8fcc7ee7238832fd813b5b7c4b1b92c6720e6b48b731c2fd7ef9
Instruction ID: bda494b76298140d12da1d84aad608d97d7fbce1a881ed08e858e6e482b803ec
Opcode Fuzzy Hash: 6c7806ccabbd8fcc7ee7238832fd813b5b7c4b1b92c6720e6b48b731c2fd7ef9
Instruction Fuzzy Hash: 5941C631E04A55FFEB328A64CC487EFBBB1AB91314F1444A7C98592242C37C4AC6CB59

Function 00425830 Relevance: 12.1, APIs: 8, Instructions: 131COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(76AF0A60,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 0042584C
GetLastError.KERNEL32(?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 00425860
GetEnvironmentStringsW.KERNEL32(76AF0A60,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 00425882
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,76AF0A60,00000000,?,?,?,?,00422CAF), ref: 004258B6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 004258D8
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 004258F1
GetEnvironmentStrings.KERNEL32(76AF0A60,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 00425907
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00425943

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: 14d9f0102edccd77b9f672c77a2969e39bce88967141998df9fc879381f07455
Instruction ID: ba898672c03263d1d32ad627b9c1e0deaafb00e3c435e1c8e460b17607d3aaf7
Opcode Fuzzy Hash: 14d9f0102edccd77b9f672c77a2969e39bce88967141998df9fc879381f07455
Instruction Fuzzy Hash: C33116B2704535AFDB207F65BC8483BBA8CEB453A47D5093BF541C3310E6B98C9186AE

Function 00405FD0 Relevance: 12.0, APIs: 8, Instructions: 49sleepthreadwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000002), ref: 00405FD8
GetWindowThreadProcessId.USER32(?,?), ref: 00405FEB
EnableWindow.USER32(?,00000000), ref: 00405FFD
IsWindowEnabled.USER32(?), ref: 00406004
ShowWindow.USER32(?,00000000), ref: 00406010
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0040601B
SetWindowPos.USER32(?,00000001,00000000,00000001,00000001,00000080), ref: 00406034
DestroyWindow.USER32(?), ref: 0040603B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$DestroyEnableEnabledMessagePostProcessShowSleepThread
String ID:
API String ID: 1728564233-0
Opcode ID: 47c4687bb97f38a7d82e6fed2abff5cd8377e49c14785139af8aabca3f8013d2
Instruction ID: 5ce9f396147177345ac3bda0077170ccccec577589b9f7b93905b01a4a4ba7ac
Opcode Fuzzy Hash: 47c4687bb97f38a7d82e6fed2abff5cd8377e49c14785139af8aabca3f8013d2
Instruction Fuzzy Hash: E0012C31241114FBDB319B519D4DEAF3B7DEF86B11F4000A9FA02A6290CB795662CB7A

Function 0042726A Relevance: 10.7, APIs: 7, Instructions: 169COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,?,0042C288,00000038,00425D73,?,00000000,00000000,00424DA1,00000000,00000000,0042C268,0000001C,00424AE9,00000001,00000020), ref: 004272A8
GetCPInfo.KERNEL32(00000000,00000001), ref: 004272BB
MultiByteToWideChar.KERNEL32(00000000,00000001,00424DA1,?,00000000,00000000), ref: 00427300

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Info$ByteCharMultiWide
String ID:
API String ID: 1166650589-0
Opcode ID: 00acec5db0e4a054e069fe0062ea75001bc7d0bc223f1826f41e5176a31a730b
Instruction ID: e5ae8cbd430e5c722cef079d93db996f8ae37a74317ef711a0273d561358eaeb
Opcode Fuzzy Hash: 00acec5db0e4a054e069fe0062ea75001bc7d0bc223f1826f41e5176a31a730b
Instruction Fuzzy Hash: 15519F31A04228EBCF30DF95FC8499F7FB9EF85754FA0412AF814A2260D7754951CB68

Function 00417125 Relevance: 10.6, APIs: 7, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000000), ref: 00417139
GetWindowPlacement.USER32(00000000,?,?,?,?), ref: 00417156
GetClassNameA.USER32(00000000,00000000,00000080), ref: 00417180
IsWindowVisible.USER32(00000000), ref: 004171C7
IsWindowEnabled.USER32(00000000), ref: 004171D2
GetWindow.USER32(00000000,00000005), ref: 004171F8
GetWindow.USER32(00000000,00000002), ref: 00417226

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$ClassEnabledNamePlacementVisible
String ID:
API String ID: 3556649163-0
Opcode ID: 2808164bc23d912c63ee89b1a1680f60219bdc0d70aff655dd1ccb3fe22a3fe0
Instruction ID: 486ed90c8f66970c450267cf30335206086b95c5f660d8f04184e3ceb6a86e1f
Opcode Fuzzy Hash: 2808164bc23d912c63ee89b1a1680f60219bdc0d70aff655dd1ccb3fe22a3fe0
Instruction Fuzzy Hash: C4319C71A0060AEFCF10CF68DC84AEE7BB9FF48304F0044A9F905A6252D775DA42CBA4

Function 004161AE Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00416BE9,00000003,?,?,76AF0440,?,0042A4DC,75D36610), ref: 00416205
lstrlenA.KERNEL32(?,?,?,76AF0440,?,0042A4DC,75D36610), ref: 0041620C
lstrlenA.KERNEL32(00000003,?,?,?,?,?,76AF0440,?,0042A4DC,75D36610), ref: 00416235
lstrcpyA.KERNEL32(?,00000003,?,?,?,?,?,76AF0440,?,0042A4DC,75D36610), ref: 00416246
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,76AF0440,?,0042A4DC), ref: 0041627C
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,76AF0440,?,0042A4DC), ref: 004162A0

Strings

://, xrefs: 004161CC

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: ://
API String ID: 805584807-1869659232
Opcode ID: 2b6620673db51c54961dedac987d81946296dde7935255b6a5fe39ac733775ea
Instruction ID: 602d06b892901c54e1810f3825f9a40bc8debde024da92d5a4960577e2ac1f88
Opcode Fuzzy Hash: 2b6620673db51c54961dedac987d81946296dde7935255b6a5fe39ac733775ea
Instruction Fuzzy Hash: AE31EF72500218AFCB11AFA8EC85CDB3FACEF153A4B154166FC0897251D638D965CBBA

Function 00415042 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76keyboardsleepCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 0041507B
SendInput.USER32(00000001,?,0000001C), ref: 004150A1
Sleep.KERNEL32(00000064), ref: 004150A5
SendInput.USER32(00000001,?,0000001C), ref: 004150D3
SendInput.USER32(00000001,?,0000001C), ref: 004150FD

Strings

V, xrefs: 004150F7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: InputSend$Sleep
String ID: V
API String ID: 240672775-1342839628
Opcode ID: 7b81f98a793ce5abd1e9060f4b5e1a42909660d45532c886f336ca13e155e941
Instruction ID: 9f290cfd91dfee7e366b78b15d6756e3afb169dd54bad8c08db7a4cfee71d3d9
Opcode Fuzzy Hash: 7b81f98a793ce5abd1e9060f4b5e1a42909660d45532c886f336ca13e155e941
Instruction Fuzzy Hash: 79212FA2D4021CBBDB11ABD6EC8AEDFFFBCEF50314F100427F601B2160E264565987A6

Function 0041C01E Relevance: 10.6, APIs: 7, Instructions: 67sleepwindowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?), ref: 0041C067

Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000200,004153D7,?), ref: 004172FA
Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000021,004153D7,02040001), ref: 00417305
Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000201,00000001,?), ref: 00417310
Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000202,00000001,?), ref: 0041731B

Sleep.KERNEL32(000001F4), ref: 0041C09F
GetCursorPos.USER32(?), ref: 0041C0A5
SetCursorPos.USER32(?,?), ref: 0041C0B7
Sleep.KERNEL32(00000032), ref: 0041C0BB
Sleep.KERNEL32(00000032), ref: 0041C0C4
SetCursorPos.USER32(?,?), ref: 0041C0CC

Part of subcall function 0041435D: GetDesktopWindow.USER32 ref: 0041436A
Part of subcall function 0041435D: GetWindowRect.USER32(00000000), ref: 00414377
Part of subcall function 0041435D: GetWindowRect.USER32(?,?), ref: 00414381
Part of subcall function 0041435D: SetWindowTextA.USER32(?,0042A440), ref: 0041438F
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414401
Part of subcall function 0041435D: SetWindowPos.USER32(?,000000FF,?,00000000,00000000,00000000,00000040), ref: 0041441C
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414425
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 00414432
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 0041443B
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 0041443E
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 00414441
Part of subcall function 0041435D: SetForegroundWindow.USER32(?), ref: 00414444
Part of subcall function 0041435D: SetFocus.USER32(?), ref: 00414447
Part of subcall function 0041435D: Sleep.KERNEL32(00000064), ref: 0041444B
Part of subcall function 0041435D: ShowWindow.USER32(?,00000001), ref: 00414454

Part of subcall function 0041723B: GetWindowRect.USER32(?,?), ref: 0041725B
Part of subcall function 0041723B: GetClientRect.USER32(?,?), ref: 00417266
Part of subcall function 0041723B: GetWindowInfo.USER32(?,?), ref: 00417271
Part of subcall function 0041723B: GetWindow.USER32(?,00000005), ref: 0041729C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$FocusMessagePostRectSleep$CursorForegroundShow$ClientDesktopInfoText
String ID:
API String ID: 2348713440-0
Opcode ID: 4f66df79ac08361e819a94fecc4ebc5accedf33fdd5bc51566be295143cdaa7a
Instruction ID: 8d1f864990b006e87c7e47a02d893c60dad91602a936ac63b34a93652cf90b4e
Opcode Fuzzy Hash: 4f66df79ac08361e819a94fecc4ebc5accedf33fdd5bc51566be295143cdaa7a
Instruction Fuzzy Hash: 0D11AF32900208FBDF11AFE0DC06ADE3F3AEF48310F104096FD146A191D67656A2DBA9

Function 00411206 Relevance: 10.6, APIs: 7, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000927C0), ref: 00411219
Sleep.KERNEL32(00007530), ref: 00411228
Sleep.KERNEL32(000003E8), ref: 0041123D
gethostname.WS2_32(?,00000080), ref: 00411264
gethostbyname.WS2_32(?), ref: 00411272
inet_ntoa.WS2_32(?), ref: 004112A3
Sleep.KERNEL32(0000EA60), ref: 004112C0

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 826719543-0
Opcode ID: 7231b53defef9bb744e4c9a9a3d516ed9fc0ef3e16fe81c510fceb1934fb8bdb
Instruction ID: 49cc356f681f43e0345f39264a21fc1f5e604774ab5c518727903f99d3873967
Opcode Fuzzy Hash: 7231b53defef9bb744e4c9a9a3d516ed9fc0ef3e16fe81c510fceb1934fb8bdb
Instruction Fuzzy Hash: 9E212731A04744AFDB309BA4ED489EB7BA9AB09301B44057AE701F7121DB38A995C75E

Function 00423DF6 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00428591,0042C208,?,?,00423ED5,00000000,00000001,00000000,00428591,00000003), ref: 00423E09
TerminateProcess.KERNEL32(00000000,?,?,00423ED5,00000000,00000001,00000000,00428591,00000003), ref: 00423E10

Strings

<B, xrefs: 00423E81
4B, xrefs: 00423E62
,B, xrefs: 00423E5D
8B, xrefs: 00423E7C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: ,B$4B$8B$<B
API String ID: 2429186680-1229481957
Opcode ID: ffeb17e794c4f1baaeecf30d142b33d19d20cd8600d0f5d99c1bf63b766f24d0
Instruction ID: d3c99af46821c89edaae412be2f8ea36b7e162a635c5aed3ba29d9a877b0b6c9
Opcode Fuzzy Hash: ffeb17e794c4f1baaeecf30d142b33d19d20cd8600d0f5d99c1bf63b766f24d0
Instruction Fuzzy Hash: CD11B4317011319BDB208F5DFC4425A37B59B41B92B910437E816C7211E7BCDE89CB9E

Function 00408F75 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49sleepthreadnetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,76AF35B0,00000000), ref: 00408F8D
wsprintfA.USER32 ref: 00408FC1

Part of subcall function 004138BC: inet_addr.WS2_32(?), ref: 004138C0
Part of subcall function 004138BC: gethostbyname.WS2_32(?), ref: 004138CF

htons.WS2_32(00000050), ref: 00408FE2
GetTickCount.KERNEL32 ref: 00408FEE
CreateThread.KERNEL32(00000000,00000000,00408F07,00000000,00000000,00000000), ref: 0040900E

Strings

{C@, xrefs: 00408FF4

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountCreateSleepThreadTickgethostbynamehtonsinet_addrwsprintf
String ID: {C@
API String ID: 3851064533-174916597
Opcode ID: ebadc27a76bb4e3271548248bddeae61745505eb3c8ff269f57bfeee11fe8abd
Instruction ID: c89f4757909d1c3c941f245e0f95c8f06e31dabbe2118c59e00684056dfebd2f
Opcode Fuzzy Hash: ebadc27a76bb4e3271548248bddeae61745505eb3c8ff269f57bfeee11fe8abd
Instruction Fuzzy Hash: 29016175508348BFDB017F60BC4AE6A3B68EB00346F40407AFD05962A3D7759E58CB6E

Function 0041469F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000020), ref: 004146B0

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

GetWindowTextA.USER32(?,?,0000003C), ref: 004146D1
EnableWindow.USER32(?,00000000), ref: 004146F7
ShowWindow.USER32(?,00000000), ref: 004146FF

Strings

Notification Ar, xrefs: 004146DA
ToolbarWindow32, xrefs: 004146B9

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$lstrlen$ClassEnableNameShowText
String ID: Notification Ar$ToolbarWindow32
API String ID: 538972384-2301149577
Opcode ID: cff6bb962b0c74caeb6239d4ee8141f09c688826f5017db304f9c0507c69a6af
Instruction ID: 3eb788062b1b642da715b47cf961bf6c044cf71f8bd890d90de7f59fbb932858
Opcode Fuzzy Hash: cff6bb962b0c74caeb6239d4ee8141f09c688826f5017db304f9c0507c69a6af
Instruction Fuzzy Hash: D3F0A4B2645214EBEB10A7E0AC0AEEE736CEF06305F540027F911E21C0E7689982877F

Function 00408F07 Relevance: 10.5, APIs: 7, Instructions: 32threadsleepstringCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00408F09
SetThreadPriority.KERNEL32(00000000), ref: 00408F10
GetTickCount.KERNEL32 ref: 00408F26

Part of subcall function 00408DF6: socket.WS2_32(00000002,00000001,00000006), ref: 00408E0A
Part of subcall function 00408DF6: ioctlsocket.WS2_32(00000000,8004667E,?), ref: 00408E3B
Part of subcall function 00408DF6: connect.WS2_32(00000000,00457890,00000010), ref: 00408E64
Part of subcall function 00408DF6: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00408EEF

lstrlenA.KERNEL32(004578A0,00000000), ref: 00408F44
send.WS2_32(00000000,004578A0,00000000), ref: 00408F4D
Sleep.KERNEL32(0000012C), ref: 00408F58
closesocket.WS2_32(00000000), ref: 00408F5F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Threadioctlsocket$CountCurrentPrioritySleepTickclosesocketconnectlstrlensendsocket
String ID:
API String ID: 3664699870-0
Opcode ID: 0be64e6567d89f056c3a78872591e7995a824adc3a80b9f9394802f9a2fc880a
Instruction ID: af24a37bd55c00e8db6d02cde9bfb8839c93208e7e9c10785fd6ece9764becba
Opcode Fuzzy Hash: 0be64e6567d89f056c3a78872591e7995a824adc3a80b9f9394802f9a2fc880a
Instruction Fuzzy Hash: B3F03072505200AFD3116BB4BD4CB6F3B69AB56322F400179F601E15E2CF389895C77E

Function 00406B75 Relevance: 9.2, APIs: 6, Instructions: 199stringsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00406BB7

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

Part of subcall function 0041A7A8: lstrlenA.KERNEL32(0045A2D8,?,0000C328,?,0040178B,00000000,00000028,?,?,00000000,00000101,0000C328,?,00000028), ref: 0041A7C3
Part of subcall function 0041A7A8: lstrlenA.KERNEL32(0045A2D8,00000000,0040178B,00000000,00000028,?,?,00000000,00000101,0000C328,?,00000028), ref: 0041A7DB

lstrcatA.KERNEL32(00000000,0042A570), ref: 00406CBF
lstrcatA.KERNEL32(00000000,-0042E048), ref: 00406CD4
lstrcatA.KERNEL32(00000000,0042A570), ref: 00406D3C
lstrcatA.KERNEL32(00000000,-0042E048), ref: 00406D51
Sleep.KERNEL32 ref: 00406D85

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$CountTicklstrlen$Sleep
String ID:
API String ID: 3976948946-0
Opcode ID: 70f2160166c336fa2f00a869266c7e2d3911993d0b322237ec74a2ef109c4f89
Instruction ID: 16366cfa811712eeb39b173566f72963fae4b38cea82189eb1d20190be30719b
Opcode Fuzzy Hash: 70f2160166c336fa2f00a869266c7e2d3911993d0b322237ec74a2ef109c4f89
Instruction Fuzzy Hash: D1615CB6E00218BBDB14DBE5DC45ADEBBBEAB84304F10406BF105E7241EB789B94CB54

Function 00426D1B Relevance: 9.2, APIs: 6, Instructions: 175processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,76AF0F00,00000000,00000000,00000001,?,0042B7CC,00000000,?,?,0042B7CC,?,00000000,0044EE14), ref: 00426E75
GetLastError.KERNEL32(?,00000000,0044EE14), ref: 00426E7D
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,0044EE14), ref: 00426EBA
GetExitCodeProcess.KERNEL32(?,0042B7CC), ref: 00426EC7
CloseHandle.KERNEL32(?,?,00000000,0044EE14), ref: 00426ED3
CloseHandle.KERNEL32(?,?,00000000,0044EE14), ref: 00426EE3

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 157478886-0
Opcode ID: 0e6dae67add2e7edbc2a33852ad0284827fa2541cb9d48df200fd36df296eb53
Instruction ID: a1458e87b792cc974f808cfb15b60c101ce6bb7be5ffe00b4e73d95fa57211e7
Opcode Fuzzy Hash: 0e6dae67add2e7edbc2a33852ad0284827fa2541cb9d48df200fd36df296eb53
Instruction Fuzzy Hash: 21513635B00268AFCF21CF64E8804EEBBB5FB05314FA2416BE411AB261D7359E05CB55

Function 00425BF0 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0042B908,00000001,?,0042C268,0000001C,00424AE9,00000001,00000020,00000100,?,00000000), ref: 00425C14
GetLastError.KERNEL32 ref: 00425C26
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00424DA1,00000000,00000000,0042C268,0000001C,00424AE9,00000001,00000020,00000100,?,00000000), ref: 00425C88
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00424DA1,?,00000000), ref: 00425D06
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00425D18

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 76cad6ba775d8bcd516b82ce6fc3f11115317b1e53353c35467e1d5be93a392a
Instruction ID: b6579f8ccea5aad9265b89f1fb7ec4f214dc27c6ff7fda89f092b79741bf8ca7
Opcode Fuzzy Hash: 76cad6ba775d8bcd516b82ce6fc3f11115317b1e53353c35467e1d5be93a392a
Instruction Fuzzy Hash: 9E412631B00639EBCB218F61FC49AAF7B75EF44B60F94411AF810A6250D7388D51CBAD

Function 0041D3FF Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789159a2bdc17082fcc724edf0c95d18c1904df461ec2cbe7ab6805167c0503a
Instruction ID: 2600688eb67e087044bda8ff5c7e70b1b86fb3c075d049e429c8ca41136e11ef
Opcode Fuzzy Hash: 789159a2bdc17082fcc724edf0c95d18c1904df461ec2cbe7ab6805167c0503a
Instruction Fuzzy Hash: 9641A1B1A00304FFDF21CF64ED44BAA77B5FB00319F10846AE81597261E738EA91CB49

Function 004013CB Relevance: 9.1, APIs: 6, Instructions: 105filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,76AF0F00,76AE8A60,?,00000000,?,00402432,?), ref: 00401407
Sleep.KERNEL32(000003E8,?,00000000,?,00402432,?), ref: 00401428
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,00402432,?), ref: 0040144E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00402432,?), ref: 004014C1
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00402432,?), ref: 004014F5
CloseHandle.KERNEL32(00000000,?,00000000,?,00402432,?), ref: 00401502

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$File$ProcessReadSleep$AllocateCloseCreateFreeHandle
String ID:
API String ID: 3699383182-0
Opcode ID: d85f17f7eb1128324d086243c0b1410018c390558ecb43cab23d11c3d94f6be8
Instruction ID: 20ba747f7d59193939b30476b1915e6e2b0afcd877ecce6c1a7243fa2683c454
Opcode Fuzzy Hash: d85f17f7eb1128324d086243c0b1410018c390558ecb43cab23d11c3d94f6be8
Instruction Fuzzy Hash: BE310679448700AED321AF25FC859677F98E75A320F50053FF401521B1EABD1889DA6E

Function 004056A7 Relevance: 9.1, APIs: 6, Instructions: 102sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 004056CB
GetTickCount.KERNEL32 ref: 004056CF
Sleep.KERNEL32(0000000A), ref: 004057AC
Sleep.KERNEL32(000003E8), ref: 004057BB
GetTickCount.KERNEL32 ref: 004057C3
GetTickCount.KERNEL32 ref: 004057D9

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: 629daef370c9ff6295941084d448d0b407ef7d171eefaf5648885d328050dee3
Instruction ID: 8886811e3645dd5fd105ac6f2ed7bba4e59cd6dbffd4ffc0903a61d5b9bd62ff
Opcode Fuzzy Hash: 629daef370c9ff6295941084d448d0b407ef7d171eefaf5648885d328050dee3
Instruction Fuzzy Hash: FE319E60904B91DDEB32A775880436BBBE4CB52304F48087FD581A72C2C67DA888DF6F

Function 0041EAAA Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

lstrlenA.KERNEL32(00000001,?,0045B918,00000000,0041F009,0045B91D), ref: 0041EAED
lstrcmpA.KERNEL32(00000001,TIMESTAMP), ref: 0041EB27
lstrcmpA.KERNEL32(00000001,CHATMESSAGES), ref: 0041EB3F
lstrlenA.KERNEL32(00000002), ref: 0041EB59

Strings

TIMESTAMP, xrefs: 0041EB21
CHATMESSAGES, xrefs: 0041EB39

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcmp
String ID: CHATMESSAGES$TIMESTAMP
API String ID: 3065309983-3883223866
Opcode ID: cb77cf2dcf1da886e02d156672512f75eef800315327272736a8024b0261b7c8
Instruction ID: 8c587b7b17e814ac45b08c177e053b25692d01e71adc04499f0563c4f9581466
Opcode Fuzzy Hash: cb77cf2dcf1da886e02d156672512f75eef800315327272736a8024b0261b7c8
Instruction Fuzzy Hash: 3021F876A0D316AAD711BA77AC45FDB278C8F55318F14006BFD0696282EF6CE8C1426D

Function 0041D208 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 87stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?), ref: 0041D241
lstrcmpA.KERNEL32(?,?), ref: 0041D267
lstrlenA.KERNEL32(00000001), ref: 0041D283
lstrcpyA.KERNEL32(?,-00000002), ref: 0041D296
lstrcmpA.KERNEL32(0000003B,?), ref: 0041D2BA

Strings

;, xrefs: 0041D29C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmplstrcpy$lstrlen
String ID: ;
API String ID: 2699002159-1661535913
Opcode ID: 79530333c1fe725cb978b5d4e272efe8750bf3d1a67d0c1afd678eb2c856374d
Instruction ID: a8241c5b27018e94fe91990cbb7f8857f40f936ec8629c4d25aebebaaca33a86
Opcode Fuzzy Hash: 79530333c1fe725cb978b5d4e272efe8750bf3d1a67d0c1afd678eb2c856374d
Instruction Fuzzy Hash: 412107B2E002159FDB218FE4CD84BE7B7ADAF11354F4800A6E825C7254D7B8EC90C768

Function 004073CE Relevance: 9.1, APIs: 6, Instructions: 63sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00007530), ref: 0040740E
GetLogicalDriveStringsA.KERNEL32(000003FF,?), ref: 0040742C
GetDriveTypeA.KERNEL32(?), ref: 00407453
lstrcpyA.KERNEL32(?,?), ref: 0040746E
lstrlenA.KERNEL32(?), ref: 00407482
Sleep.KERNEL32(00001388), ref: 0040749B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: DriveSleep$LogicalStringsTypelstrcpylstrlen
String ID:
API String ID: 416886986-0
Opcode ID: f3344195adcb0ec7c0bbaa65261c649fc690ddb1f9067fb483218459ef555618
Instruction ID: bbfdd0562c21f24692263b6552ccf8edf75bf2367736b5f1f26355503fcbaf25
Opcode Fuzzy Hash: f3344195adcb0ec7c0bbaa65261c649fc690ddb1f9067fb483218459ef555618
Instruction Fuzzy Hash: 7D1127B1C8C3C56AE73197206C15AAB3F985742304F48483AE9C4672A3D23DBD8AD75F

Function 004149DC Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004138BC: inet_addr.WS2_32(?), ref: 004138C0
Part of subcall function 004138BC: gethostbyname.WS2_32(?), ref: 004138CF

htons.WS2_32(00000000), ref: 004149FC
socket.WS2_32(00000002,00000001,00000006), ref: 00414A11
ioctlsocket.WS2_32(00000000,8004667E,00000004), ref: 00414A2C
connect.WS2_32(00000000,00000002,00000010), ref: 00414A39
select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 00414A66
closesocket.WS2_32(00000000), ref: 00414A6F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrioctlsocketselectsocket
String ID:
API String ID: 444889835-0
Opcode ID: bfe5e0e2642357325bc19e7d9a52536bbd5d782dd83a106ab7bd246dd75cea33
Instruction ID: ded24326bd6f7ac8a89645a0ee9b908de195810948d6fb162e011f81d8ed15d6
Opcode Fuzzy Hash: bfe5e0e2642357325bc19e7d9a52536bbd5d782dd83a106ab7bd246dd75cea33
Instruction Fuzzy Hash: 44119171900318AFEB019FE0DC49BEEB77CFF08316F00416AFA11A6191DF749A548B98

Function 0041272F Relevance: 9.0, APIs: 6, Instructions: 38sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 00412744
CreateThread.KERNEL32(00000000,00000000,Function_000126AE,00000000,00000000,00000000), ref: 00412758
GetTickCount.KERNEL32 ref: 00412764
GetTickCount.KERNEL32 ref: 0041276C
Sleep.KERNEL32(000003E8), ref: 0041277B
Sleep.KERNEL32(0000EA60), ref: 0041278B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CountTick$CreateThread
String ID:
API String ID: 4024735586-0
Opcode ID: 9afe8a1db201ebacc295fb3fbbfb31c18dff43c8a1ee2666920b63a3e9e06550
Instruction ID: 30102fe69749e0e27f47770975eac562594a5c07fedf616aa80d11cd1fe59ab1
Opcode Fuzzy Hash: 9afe8a1db201ebacc295fb3fbbfb31c18dff43c8a1ee2666920b63a3e9e06550
Instruction Fuzzy Hash: A0F02B70544389BFE3117B20DEC4CBB3B4CBB423847050436F4619229097885DA6977E

Function 00409201 Relevance: 9.0, APIs: 6, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,0040952A,00000000,00402188,00000000), ref: 0040920A

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

LoadLibraryA.KERNEL32(?,?), ref: 00409223
BeginUpdateResourceA.KERNEL32(?,00000001), ref: 00409236
EnumResourceNamesA.KERNEL32(00000000,0000000E,004091E1,00000000), ref: 0040924B
EndUpdateResourceA.KERNEL32(00000000,00000000), ref: 00409254
FreeLibrary.KERNEL32(00000000), ref: 0040925B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Resource$AttributesFileLibraryUpdate$BeginEnumFreeLoadNames
String ID:
API String ID: 980332788-0
Opcode ID: c9332b95d5ea5032ba19c90525e84cbaac37ef8b39fb654ceb47db05e253ad1c
Instruction ID: 7b0f776b340b65bee597074e77a709d4c982056f550d289e304040912e18300f
Opcode Fuzzy Hash: c9332b95d5ea5032ba19c90525e84cbaac37ef8b39fb654ceb47db05e253ad1c
Instruction Fuzzy Hash: C0F05832204212BBD6322F60FC0DF5B7E65AF85B52F444679FA41B01A1CB758C229B6A

Function 00415285 Relevance: 9.0, APIs: 6, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 00415292
SetForegroundWindow.USER32(?), ref: 00415295
SetForegroundWindow.USER32(?), ref: 00415298
SetForegroundWindow.USER32(?), ref: 0041529B
SetForegroundWindow.USER32(?), ref: 0041529E
Sleep.KERNEL32(00000064,?,?,00415396,?), ref: 004152A2

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ForegroundWindow$Sleep
String ID:
API String ID: 3414397851-0
Opcode ID: 97b4424524ad3d0712e103502ce5e10010844d45ff3c88c7f788e4f7d4387c0c
Instruction ID: eb89fc5ad9fa10eeb6c7fdb79285fbf96a80c7b9d777ff65864cc6962a61c86c
Opcode Fuzzy Hash: 97b4424524ad3d0712e103502ce5e10010844d45ff3c88c7f788e4f7d4387c0c
Instruction Fuzzy Hash: 52D0C922A00138BB812237666D88CBF6F7CDFCA9B0B01005BF608521104B692453EEF7

Function 004058E5 Relevance: 8.9, APIs: 7, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00405927
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00405976
lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040599C
lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004059EB
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405A1B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: b638f4627732eb91bcd97fda672726ab788b862846abe240ad7aa020d5e8f80b
Instruction ID: 29111852331fc9f6b874d3848e252dbb7bd2cb62a335b53481466694710a7231
Opcode Fuzzy Hash: b638f4627732eb91bcd97fda672726ab788b862846abe240ad7aa020d5e8f80b
Instruction Fuzzy Hash: 5C312B72504A11BBE710BB20AC06AAB7799EB05324F50083FF544B71C1EB7DAD55CAAD

Function 00417016 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00416896: GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168B8
Part of subcall function 00416896: GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168DA
Part of subcall function 00416896: inet_addr.WS2_32(000001D8), ref: 004168ED

gethostname.WS2_32(?,00000080), ref: 0041704F
gethostbyname.WS2_32(?), ref: 00417065

Part of subcall function 00416BF1: lstrlenA.KERNEL32(00459868,004170BD,00000001,?,?,?,76AF23A0), ref: 00416BFF

GetTickCount.KERNEL32 ref: 004170BE

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

inet_ntoa.WS2_32(?), ref: 004170EC

Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?,00417108,0042A774,?,TCP,?,00000000,?,?,?,?,?,?,76AF23A0), ref: 00416EDF
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F08
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F2F
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F58
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F7F
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416FA6
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416FCF

Strings

TCP, xrefs: 004170F6

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$lstrlen$AdaptersInfo$CountTickgethostbynamegethostnameinet_addrinet_ntoa
String ID: TCP
API String ID: 2422590998-617288268
Opcode ID: e1602f64369b46a3807cfafc907e5879a1d62b839d2e3dace35d8ca8e897e3f8
Instruction ID: b1e24fbc6d044a6cad89cbc1356073e7b4529d59893941b7878710fa553d88fd
Opcode Fuzzy Hash: e1602f64369b46a3807cfafc907e5879a1d62b839d2e3dace35d8ca8e897e3f8
Instruction Fuzzy Hash: 4931E872944218AFDF21AFB4DC42DEA37B8AF08344F14043AFA11D2212DA39D9858765

Function 0040710D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00407148
lstrcpynA.KERNEL32(?,?,00000001), ref: 00407179
wsprintfA.USER32 ref: 00407190
ShellExecuteA.SHELL32(00000000,00000000,00459550,?,?,00000000), ref: 004071AF

Strings

a -y -tk -inul "%s" "%s", xrefs: 0040718A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ExecuteShelllstrcpynlstrlenwsprintf
String ID: a -y -tk -inul "%s" "%s"
API String ID: 3829639410-2905394512
Opcode ID: 7c97293413f84c9f8f14aaef77ea9b6cd92d0e57f7caeeab3560becff9bb9e2a
Instruction ID: 326c217c6b6f7d4bd8146a61f9f086012908346599ec174fa88cd2dd75d7bcef
Opcode Fuzzy Hash: 7c97293413f84c9f8f14aaef77ea9b6cd92d0e57f7caeeab3560becff9bb9e2a
Instruction Fuzzy Hash: D7112972D08218BFDB328B78CC44ED77BAC9B04750F1404B5A588F62C2D5746EC58B65

Function 0041BDF3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(?,?), ref: 0041BE01

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000,?,?,?,?), ref: 0041BE1E
VerQueryValueA.VERSION(00000000,0042A3B0,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 0041BE31

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Strings

Higher: %x, xrefs: 0041BE46
Lower: %x, xrefs: 0041BE51

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$FileInfoProcessVersion$AllocateFreeQuerySizeValue
String ID: Higher: %x$Lower: %x
API String ID: 2536384491-2842063683
Opcode ID: 5f0f069ad013188f1c4b64b7c2a0420a2a14f62a35749df945d88ecac4275582
Instruction ID: 56eebd3162b18028b7251b0968c42e15224d0ed09f1a35764b155e5641b832ad
Opcode Fuzzy Hash: 5f0f069ad013188f1c4b64b7c2a0420a2a14f62a35749df945d88ecac4275582
Instruction Fuzzy Hash: 6D118271601228BFD700EF65DC41DAB7BACEF45314B55005AFC05DB241DA38ED11C7A4

Function 004071BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406D9C: lstrlenA.KERNEL32(?), ref: 00406DB5

Part of subcall function 00406F76: lstrlenA.KERNEL32(?), ref: 00406F8B

Part of subcall function 00406D9C: lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\), ref: 00406E1F
Part of subcall function 00406D9C: lstrcatA.KERNEL32(00000000,?), ref: 00406E2D
Part of subcall function 00406D9C: GetTickCount.KERNEL32 ref: 00406E33
Part of subcall function 00406D9C: lstrlenA.KERNEL32(00000000), ref: 00406E56
Part of subcall function 00406D9C: wsprintfA.USER32 ref: 00406E7B
Part of subcall function 00406D9C: ShellExecuteA.SHELL32(00000000,00000000,00459550,?,00000000,00000000), ref: 00406E96
Part of subcall function 00406D9C: Sleep.KERNEL32(00000BB8), ref: 00406EA1
Part of subcall function 00406D9C: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406ED3
Part of subcall function 00406D9C: lstrlenA.KERNEL32(?,?), ref: 00406EF5
Part of subcall function 00406D9C: lstrlenA.KERNEL32(?,00000000), ref: 00406EFF
Part of subcall function 00406D9C: ReadFile.KERNEL32(?,?,00000100,?,00000000), ref: 00406F25
Part of subcall function 00406D9C: CloseHandle.KERNEL32(?), ref: 00406F35

lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 0040720D
lstrlenA.KERNEL32(00000000,0000000A), ref: 0040721C
lstrcatA.KERNEL32(00000000,.exe), ref: 0040723D

Strings

.exe, xrefs: 00407231
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 00407201

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$Filelstrcatlstrcpy$CloseCountCreateExecuteHandleReadShellSleepTickwsprintf
String ID: .exe$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\
API String ID: 20153216-2928587
Opcode ID: 22b85fd1091add9b8ad02c3bfe50216b0fbd10936eb2904f226c3a7c80e6c9c8
Instruction ID: b8655bf1368447873f574bdc505146dc3dea2c0eda96ab80bdee70fd1e2fcb46
Opcode Fuzzy Hash: 22b85fd1091add9b8ad02c3bfe50216b0fbd10936eb2904f226c3a7c80e6c9c8
Instruction Fuzzy Hash: 1C01DB33A0C2156BDB20AA64AC05FCA33AC9F10314F100477F585E20C1EEB8B7C64BAE

Function 00420FB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 00420FCB

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

GetWindowTextA.USER32(?,?,00000080), ref: 00421004
lstrlenA.KERNEL32(?), ref: 0042100F

Strings

TConversationForm., xrefs: 00420FD4
TskMultiChatForm., xrefs: 00420FE8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$ClassNameTextWindow
String ID: TConversationForm.$TskMultiChatForm.
API String ID: 3135624604-3921460193
Opcode ID: aa9c27489bc195674f4436dd1275cc9ed224b78000dd7edc875c5fc1c9763827
Instruction ID: 92048e3ca0c4b5642d9c4030300f4ed62e4a246fa2bbab872e422d4a88989829
Opcode Fuzzy Hash: aa9c27489bc195674f4436dd1275cc9ed224b78000dd7edc875c5fc1c9763827
Instruction Fuzzy Hash: EB01F5726041189FEF20EBB0FD05AEF77ECEF14308F600067FC55E2261E6299A948B65

Function 0041470D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000020), ref: 0041471C

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

EnumChildWindows.USER32(?,Function_0001469F,?), ref: 00414769

Strings

NotifyIconOverflowW, xrefs: 0041474D
ToolbarWindow32, xrefs: 00414739
Shell_TrayWnd, xrefs: 00414725

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$ChildClassEnumNameWindows
String ID: NotifyIconOverflowW$Shell_TrayWnd$ToolbarWindow32
API String ID: 2229386341-4003164428
Opcode ID: 34a13e1590ee50ec51f0225bc2a901d09827b872e0a7360d78465de432d85488
Instruction ID: f967666947b2ef1a19ccd906feb9eedd695bd996a2d89b631b970162c6846aa2
Opcode Fuzzy Hash: 34a13e1590ee50ec51f0225bc2a901d09827b872e0a7360d78465de432d85488
Instruction Fuzzy Hash: 08F062B2644318AEEF04BBA1ED1A99E77ACAB00359B60842BF811D51C0EB69E591461D

Function 00413DF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,00000000,0040DBE4), ref: 00413DFF
GetProcAddress.KERNEL32(00000000,NtShutdownSystem), ref: 00413E0F

Part of subcall function 00413D4D: GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
Part of subcall function 00413D4D: OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
Part of subcall function 00413D4D: GetCurrentThread.KERNEL32 ref: 00413D74
Part of subcall function 00413D4D: OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B

Strings

NtShutdownSystem, xrefs: 00413E09
SeShutdownPrivilege, xrefs: 00413E1D
ntdll.dll, xrefs: 00413DFA

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$AddressHandleModuleProc
String ID: NtShutdownSystem$SeShutdownPrivilege$ntdll.dll
API String ID: 3075762919-1699316426
Opcode ID: 4418ae8d23ed69dc849c6a8915aac782c2428f256db25c7784c1a8dc7b81b09c
Instruction ID: 7eee17d45d3a3d3c8df278aae3deab6605867ede4639a44efbcfd7aeccc4ad11
Opcode Fuzzy Hash: 4418ae8d23ed69dc849c6a8915aac782c2428f256db25c7784c1a8dc7b81b09c
Instruction Fuzzy Hash: 62D01272B943705BE6206E767C0ABD716449B00F21B964467BC45E51C1D9988CD184AE

Function 00413CC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 22filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(0040D773,0040D773,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,0040D773,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,?), ref: 00413CCF
SetFileAttributesA.KERNEL32(0040D773,00000080), ref: 00413CE3
DeleteFileA.KERNEL32(0040D773), ref: 00413CEA
MoveFileA.KERNEL32(?,0040D773), ref: 00413CF5

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 00413CC5

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$AttributesDeleteMovelstrcmp
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 4216764668-2091069259
Opcode ID: d650867cbabe2241ff8acabc40b0d1642bf08f5078d220d4dc31b2e488548c08
Instruction ID: 12a36f7fc0547f54a4055c45ee460fb9c2b2bc2b111907e1b02de74545f4f34a
Opcode Fuzzy Hash: d650867cbabe2241ff8acabc40b0d1642bf08f5078d220d4dc31b2e488548c08
Instruction Fuzzy Hash: B1E08631305230BBCB201F60BC0DACB3B5CAF42231F00C064F85491020C73448A69B9A

Function 00424246 Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,00422419,?), ref: 004242F9
InterlockedExchange.KERNEL32(00463BB8,00000001), ref: 00424377
InterlockedExchange.KERNEL32(00463BB8,00000000), ref: 004243DC
InterlockedExchange.KERNEL32(00463BB8,00000001), ref: 00424400
InterlockedExchange.KERNEL32(00463BB8,00000000), ref: 00424460

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: b00c041dc3ec42eb618501efed6bccdf0cd35c8c0d5b720ffc4708d03e734375
Instruction ID: 9aef48d3448f67a9f75b32ee8449049223c10bbefaa008034e9de75feff364b2
Opcode Fuzzy Hash: b00c041dc3ec42eb618501efed6bccdf0cd35c8c0d5b720ffc4708d03e734375
Instruction Fuzzy Hash: 9651D330B00671DBCB24CF19E884B6A73A0EBC1755FA481ABE802C7291E778ED42C75D

Function 00425952 Relevance: 7.6, APIs: 5, Instructions: 142COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(76AF0A60), ref: 004259A9
GetFileType.KERNEL32(00000800), ref: 00425A50
GetStdHandle.KERNEL32(-000000F6), ref: 00425AA9
GetFileType.KERNEL32(00000000), ref: 00425AB7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileType$HandleInfoStartup
String ID:
API String ID: 2290155327-0
Opcode ID: f8f63ec4bba8fd702233c63b22d656da169e2781094af63c60f0cb75cb52c619
Instruction ID: d2a862219b93b2636bbf7e154969fd1a02f9e5da5015a8ccb00956fe4b263de6
Opcode Fuzzy Hash: f8f63ec4bba8fd702233c63b22d656da169e2781094af63c60f0cb75cb52c619
Instruction Fuzzy Hash: AD512771704A618FD7208F28EC857667BA0AB05335F99836BD4A2CB2E0E778D841C71A

Function 0041100E Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041104A

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00411064
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000064,00000000,00000000), ref: 004110CB
lstrcpyA.KERNEL32(?,?), ref: 004110DB
lstrcatA.KERNEL32(?,?), ref: 004110EF

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ByteCharMultiWide$Heap$AllocateProcesslstrcatlstrcpy
String ID:
API String ID: 639236505-0
Opcode ID: 44d8f4fcfb5e84e8657ef31bca33bc3400902bfa8f18efaf28f601e84597aa2f
Instruction ID: 00c259d247746a2f3f9f6cbc078631993a97f025e118c40de3abb8ee35525b35
Opcode Fuzzy Hash: 44d8f4fcfb5e84e8657ef31bca33bc3400902bfa8f18efaf28f601e84597aa2f
Instruction Fuzzy Hash: EB414C72C0021DBFDF219F94CD85DEFBBBDEB08314F5005AAF614A2190DA74AB948A64

Function 0041A836 Relevance: 7.6, APIs: 5, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0045A2D8,?,?,00000000,?,00401F4A,?,?), ref: 0041A852
lstrlenA.KERNEL32(0045A2D8,00000000,00000000,?,00401F4A,?,?), ref: 0041A86A
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?), ref: 0041A898
ReadFile.KERNEL32(00000000,?,00000400,?,00000000,?,?,?,?,?,?), ref: 0041A8FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0041A903

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Filelstrlen$CloseCreateHandleRead
String ID:
API String ID: 3969191716-0
Opcode ID: f1bc365878a1fba07598aae656edbd1a92688bd0fca3672f0b62f6462dadd13d
Instruction ID: 70d8934ea1e1ab713b593232fcf5332bb3268c6813b75f36181d3b14db31b1a8
Opcode Fuzzy Hash: f1bc365878a1fba07598aae656edbd1a92688bd0fca3672f0b62f6462dadd13d
Instruction Fuzzy Hash: 542171B2900118BFDB20AB94DC41EEF777CEB04354F5001AAFB05E3150D6356EA69B7A

Function 0040EB47 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 92stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000027,0042A7D4,?,76AE83C0,00000000,00000000,?,?,00500000,?,00000027), ref: 0040EB66
lstrlenA.KERNEL32(00000000), ref: 0040EB8A
lstrlenA.KERNEL32(00000000), ref: 0040EBE7
lstrlenA.KERNEL32(00000000), ref: 0040EBF2

Strings

http://, xrefs: 0040EB71

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: http://
API String ID: 805584807-1121587658
Opcode ID: a7c4ec4624abeedc241f4df41fb67cd8b73925c19931829be609556c32468d37
Instruction ID: d1b77b990f14ce89a6e0dde8a29faca488bd1fe2f45f00a0f1608666c2b3606b
Opcode Fuzzy Hash: a7c4ec4624abeedc241f4df41fb67cd8b73925c19931829be609556c32468d37
Instruction Fuzzy Hash: 2C31D831504284DBDB21DF65D9846AB7FB49B0A308F5008B7DC82A7382D679E912D765

Function 00424F32 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00424F4C
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00424F5D
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 00424FA3
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 00424FE1
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 00425007

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 1c3d2e6415a430fcb73f80f94f34f694c2061d81321953f11082180c8996f1ee
Instruction ID: ca7926daa7b0696f69bf06ee6559843a5a91446e15de802e0cc8552f3fe8254c
Opcode Fuzzy Hash: 1c3d2e6415a430fcb73f80f94f34f694c2061d81321953f11082180c8996f1ee
Instruction Fuzzy Hash: CF31D132F00229EBCF20CFA4ED44AEDBB78EB84724F550166E901E3290D7349E51DB99

Function 00411145 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,?), ref: 00411176
lstrlenA.KERNEL32(00000000), ref: 00411180
lstrcmpA.KERNEL32(00000000,?), ref: 004111B9
wsprintfA.USER32 ref: 004111E7

Strings

\\%s\, xrefs: 004111E1

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmplstrcpylstrlenwsprintf
String ID: \\%s\
API String ID: 3485474333-3797145132
Opcode ID: 32064e61e1f49b5c9c4fb0e02d964cd57f1740343d7312fdcfdc3ce7af2f1b60
Instruction ID: 84d4c3ec829869dbe6ef3b310b516fc96ec6a1f7541f08e11886f651c211f9e4
Opcode Fuzzy Hash: 32064e61e1f49b5c9c4fb0e02d964cd57f1740343d7312fdcfdc3ce7af2f1b60
Instruction Fuzzy Hash: FA21C272A0425DBADF1097A4DC09FEE7BACBB09304F440036E704F7191E778959AC7A5

Function 00412B7E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0045983C,?,?,00000000,?,00404A47,?,?,?,?,?,?,?,?), ref: 00412B8A
LeaveCriticalSection.KERNEL32(0045983C,?,?,00000000,?,00404A47,?,?,?,?,?,?,?,?), ref: 00412BB0
LeaveCriticalSection.KERNEL32(0045983C,?,?,00000000,?,00404A47,?,?,?,?,?,?,?,?), ref: 00412BD9

Strings

GJ@, xrefs: 00412BCC

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: GJ@
API String ID: 2978645861-4141786184
Opcode ID: 9d42d7c0c86a34355b68c5a34fe93979f0555eb0cb166625dd536df2441cc038
Instruction ID: 00e6de7869e808ec88370768f49c71200ac8386265d760a53ec3ec446128fc31
Opcode Fuzzy Hash: 9d42d7c0c86a34355b68c5a34fe93979f0555eb0cb166625dd536df2441cc038
Instruction Fuzzy Hash: C111E676624304DF9715AF14DC465D6B798EF05321B10402BFC04C7202DAB8AC9187A9

Function 00407B0A Relevance: 7.6, APIs: 5, Instructions: 55fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000080), ref: 00407B25
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00407B36
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00407B4F
CloseHandle.KERNEL32(00000000), ref: 00407B56
SetFileAttributesA.KERNEL32(?,00000007), ref: 00407B7F

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$Attributes$CloseCreateHandleWrite
String ID:
API String ID: 692393803-0
Opcode ID: f3df47be0e8b8253625d1352de455ec88687a31633dca1895cd65be279117722
Instruction ID: 40671c2e2f84df2f62c6f4eb0101908bd37021d9e9d593671b63d8caa07d46a2
Opcode Fuzzy Hash: f3df47be0e8b8253625d1352de455ec88687a31633dca1895cd65be279117722
Instruction Fuzzy Hash: 13018E31905258BBEF215F649C49FDB3F68AF05364F004126FD00621D08274AE61DB66

Function 00409530 Relevance: 7.6, APIs: 5, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00457AB8), ref: 00409541
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000004,00000080,00000000), ref: 00409572
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00409584
WriteFile.KERNEL32(00000000,00457AB8,?,?,00000000), ref: 00409594
CloseHandle.KERNEL32(00000000), ref: 0040959B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWritelstrlen
String ID:
API String ID: 3722912177-0
Opcode ID: 1a79f5b1ce56c777671a6a6f60480a4a14880d8d03aa35684898b3f36d659bb1
Instruction ID: 3c4057b65f01b9325965588dfd8d4090f12d06d54ddacd8982de50a353a82197
Opcode Fuzzy Hash: 1a79f5b1ce56c777671a6a6f60480a4a14880d8d03aa35684898b3f36d659bb1
Instruction Fuzzy Hash: 3B01F2B2A40200BBE6302776AC4EF9B3A6CEBC5B61F404026FA01E10D1DA784A15C779

Function 0041425E Relevance: 7.6, APIs: 5, Instructions: 52processstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0041426F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041427A
Process32First.KERNEL32(00000000,?), ref: 0041429D
CloseHandle.KERNEL32(00000000), ref: 004142E1

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32lstrlen
String ID:
API String ID: 760834177-0
Opcode ID: 6d5f8f7563b110a2be7dfcd0fb4c6b2ad1ace028690d2df6fa8031f375f41686
Instruction ID: e5bf67a6a68b66bc80df5e6fb5e360cd43871c20d938a3156f5d357483015507
Opcode Fuzzy Hash: 6d5f8f7563b110a2be7dfcd0fb4c6b2ad1ace028690d2df6fa8031f375f41686
Instruction Fuzzy Hash: 9301DB71700114ABCB105B65DC489EB7BBCEB48395F0000A6FD05D3141EB34DDD18B59

Function 0041068A Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,76AE8A60,?,?,?,004108D0,?,00000000,?), ref: 004106A5
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?,004108D0,?,00000000,?), ref: 004106B6
WriteFile.KERNEL32(00000000,?,004108D0,?,00000000,?,?,004108D0,?,00000000,?), ref: 004106D1
CloseHandle.KERNEL32(00000000,?,?,004108D0,?,00000000,?), ref: 004106D8
SetFileAttributesA.KERNEL32(00000000,00000002,?,?,004108D0,?,00000000,?), ref: 004106E3

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$Attributes$CloseCreateHandleWrite
String ID:
API String ID: 692393803-0
Opcode ID: a28542c8d8194dd271a427e1f27038af7f1ed474923027b7147f63bb0d485c30
Instruction ID: 8754977078fc8a3942d47795b7f5e1f7d7f30a626694bd36d382f9fa2b757add
Opcode Fuzzy Hash: a28542c8d8194dd271a427e1f27038af7f1ed474923027b7147f63bb0d485c30
Instruction Fuzzy Hash: 4501A471600208BBDB209FA5DC49FAF7F6CEB89770F504026FA0196191C6B09DA2DB64

Function 004142EE Relevance: 7.5, APIs: 5, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,76AE83C0,76AE8A60), ref: 004142FE
Process32First.KERNEL32(00000000,?), ref: 00414321
CloseHandle.KERNEL32(00000000), ref: 00414351

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 157c52ed4ad1ed28b8987201942e27a3869906bcf08200f0e48f127d2eaf181a
Instruction ID: c32f649fe0a1eed3cabc287f82f20bd2c8a0ac794ff4a9554fbc0528c99487c3
Opcode Fuzzy Hash: 157c52ed4ad1ed28b8987201942e27a3869906bcf08200f0e48f127d2eaf181a
Instruction Fuzzy Hash: 5FF0F671701128ABCB205B75DC4CEEB7BBCEB857A1F000066FD16E2190EF38C9958A69

Function 004141E6 Relevance: 7.5, APIs: 5, Instructions: 38processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004141F4
Process32First.KERNEL32(00000000,?), ref: 00414213
Process32Next.KERNEL32(00000000,00000128), ref: 0041422E
CloseHandle.KERNEL32(00000000), ref: 00414239
lstrcpynA.KERNEL32(?,?,000000C8), ref: 00414253

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpyn
String ID:
API String ID: 1759823670-0
Opcode ID: fbfd6ea1b3d92064f0560a5b95bb04e4245b77c10fc6cde3412c49f5f4632f92
Instruction ID: 6962ffd0d0100b5debede7622d3bcfda1a549c830d4b7470604ba3dd6598fd52
Opcode Fuzzy Hash: fbfd6ea1b3d92064f0560a5b95bb04e4245b77c10fc6cde3412c49f5f4632f92
Instruction Fuzzy Hash: 6901A471501124ABD720DB64DC48FEA77BCEB08361F4041A1F855E21D0DB34EED58A5A

Function 0041445F Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0041446A
GetWindowRect.USER32(00000000), ref: 00414477
GetWindowRect.USER32(?,?), ref: 00414480
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000080), ref: 004144AD
ShowWindow.USER32(?,00000000), ref: 004144B8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Rect$DesktopShow
String ID:
API String ID: 1907590291-0
Opcode ID: 06a2c6ea97281da4f51dfe5ba57a3831f28f39d46fa729c5be2a34bd9ac7b83a
Instruction ID: ef3228d50e6293720b143431d0110c4ac7fec5afb805337dd0511a0ed8060fe1
Opcode Fuzzy Hash: 06a2c6ea97281da4f51dfe5ba57a3831f28f39d46fa729c5be2a34bd9ac7b83a
Instruction Fuzzy Hash: 48F0EC72900119BFDF11DFE8DD49FEE7BBDEB08701F044151BA00E61A4CA75AA518FA4

Function 0041C7E9 Relevance: 7.5, APIs: 5, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0045A330), ref: 0041C7F0
Sleep.KERNEL32(00000064), ref: 0041C811
EnumWindows.USER32(Function_0001C66F,00000000), ref: 0041C826
Sleep.KERNEL32(0000000A), ref: 0041C82E
LeaveCriticalSection.KERNEL32(0045A330), ref: 0041C847

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSectionSleep$EnterEnumLeaveWindows
String ID:
API String ID: 970108969-0
Opcode ID: cac9e1c889c9a1202b30a9704d17d0ea4c68b7497903b2e807aaafec3fc2a205
Instruction ID: 347c3037cfa51b170d6f4194da5302b1615cf2b86e42af8d09f192f7a696e1da
Opcode Fuzzy Hash: cac9e1c889c9a1202b30a9704d17d0ea4c68b7497903b2e807aaafec3fc2a205
Instruction Fuzzy Hash: D9F054317843119BD720AF649DC9BAB32D8B71A713F646033ED00D23A0D769DCA1C66E

Function 004283E4 Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 004283FF
GetCurrentProcessId.KERNEL32 ref: 0042840B
GetCurrentThreadId.KERNEL32 ref: 00428413
GetTickCount.KERNEL32 ref: 0042841B
QueryPerformanceCounter.KERNEL32(?), ref: 00428427

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: bfd83073e539a0ccdb6337cd3a1b89e76caeeb8a38b1eb6fd68b15f3d1e38019
Instruction ID: 0c9aaaf9d000bd7eb92e406d218c57d3fa9a5442332ca6363a6d1f69c74d18a7
Opcode Fuzzy Hash: bfd83073e539a0ccdb6337cd3a1b89e76caeeb8a38b1eb6fd68b15f3d1e38019
Instruction Fuzzy Hash: BAF0F976E411249BCB20EFF4EC0859EB7B8FB18355BC24875D801E7210EA75A925CB99

Function 004079CF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102stringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004079EF

Part of subcall function 004140CA: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
Part of subcall function 004140CA: SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
Part of subcall function 004140CA: SHGetMalloc.SHELL32(?), ref: 004140F2
Part of subcall function 004140CA: lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

Part of subcall function 00407850: Sleep.KERNEL32(00000005,?,76AE8A60,00000000), ref: 00407864
Part of subcall function 00407850: wsprintfA.USER32 ref: 00407883
Part of subcall function 00407850: FindFirstFileA.KERNEL32(?,?), ref: 00407896
Part of subcall function 00407850: wsprintfA.USER32 ref: 004078D4
Part of subcall function 00407850: FindNextFileA.KERNEL32(00000000,00000010), ref: 0040798E

lstrlenA.KERNEL32(?,?,?,?,76AE8A60), ref: 00407A46
lstrcpyA.KERNEL32(?,Desktop,?,?,?,76AE8A60), ref: 00407A84

Strings

Desktop, xrefs: 00407A7D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileFindwsprintf$CountFirstFolderFromListLocationMallocNextPathSleepSpecialTicklstrcatlstrcpylstrlen
String ID: Desktop
API String ID: 1306859140-3336322104
Opcode ID: 88b02a22575b08bf3629dd0f1567974b0d6cc662ad6f1002e125712ec9440293
Instruction ID: d758924f8f924a0cb4478b1c2a6b9e0f80ec40a8d7e309cd9d1a2c00b3c217ad
Opcode Fuzzy Hash: 88b02a22575b08bf3629dd0f1567974b0d6cc662ad6f1002e125712ec9440293
Instruction Fuzzy Hash: BF31FC71E0C218AFEB10A764EC49BEB37A99B50305F4040BBE18466192DA7C6EC4CF5A

Function 00401EBD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77stringfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 00401EF8
lstrlenA.KERNEL32(?), ref: 00401F05
CopyFileA.KERNEL32(?,?,00000000), ref: 00401F83

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00401EEC

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CopyFilelstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 4075108951-787714339
Opcode ID: aff398feedf124acc82fad0585b1d7ca4975056247b61f76f7028d9bb95457f8
Instruction ID: 430151959db830f2a2b4c62ade9a8cffceb94f515da44b32d0551270b3886620
Opcode Fuzzy Hash: aff398feedf124acc82fad0585b1d7ca4975056247b61f76f7028d9bb95457f8
Instruction Fuzzy Hash: 7321DA7294935AAADF10EAB0DC45EDF776C5B02305F0004B7E908F31A1E778DA4A8B69

Function 0040C5D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411608: lstrlenA.KERNEL32(?), ref: 0041167D

GetTickCount.KERNEL32 ref: 0040C5FC

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcatA.KERNEL32(00000000,.exe), ref: 0040C62C

Part of subcall function 00401B8D: Sleep.KERNEL32(0000012C), ref: 00401BCE
Part of subcall function 00401B8D: Sleep.KERNEL32(0000012C), ref: 00401BE0
Part of subcall function 00401B8D: Sleep.KERNEL32(0000012C), ref: 00401BF2
Part of subcall function 00401B8D: SetFileAttributesA.KERNEL32(?,00000080), ref: 00401C1F
Part of subcall function 00401B8D: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00401C36
Part of subcall function 00401B8D: WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00401C4F
Part of subcall function 00401B8D: CloseHandle.KERNEL32(00000000), ref: 00401C5F

ShellExecuteA.SHELL32(00000000,00000000,00000000,0042A774,00000000,00000001), ref: 0040C666

Strings

.exe, xrefs: 0040C623

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileSleep$lstrlen$AttributesCloseCountCreateExecuteHandleShellTickWritelstrcat
String ID: .exe
API String ID: 3648662734-4119554291
Opcode ID: e8f90210d35fdd40397f299d270fccb0d4b181ca6391d82bf4f94bbb5cf282e5
Instruction ID: 4c10d4b1cf75abe528a72ad0bef25bac3a4141dd7ab88e2520ae9ef8a3839170
Opcode Fuzzy Hash: e8f90210d35fdd40397f299d270fccb0d4b181ca6391d82bf4f94bbb5cf282e5
Instruction Fuzzy Hash: 22110C72A80208BAEF00A794DC06FED737CAB08704F04016BFA00F10D1EAB9A5198679

Function 00413D02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000100), ref: 00413D20
LoadLibraryA.KERNEL32(sfc_os.dll), ref: 00413D2B
GetProcAddress.KERNEL32(00000000,00000005), ref: 00413D34

Strings

sfc_os.dll, xrefs: 00413D26

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AddressByteCharLibraryLoadMultiProcWide
String ID: sfc_os.dll
API String ID: 333878435-2681931132
Opcode ID: 3c36bd2c1550f0672266681a64d7f472ae4e6c1e8223920922018f43c4b72a64
Instruction ID: b7e4b594249faae0cedef0215e17f547bd7fa22e2a5bf3066866e522bee7e195
Opcode Fuzzy Hash: 3c36bd2c1550f0672266681a64d7f472ae4e6c1e8223920922018f43c4b72a64
Instruction Fuzzy Hash: B0E04F317443147BFB205FA0EC4EFA6362CAB04B61F640354BB35E40D0EEF495998B6A

Function 00423BD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0042226B), ref: 00423BD5
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00423BE5

Strings

KERNEL32, xrefs: 00423BD0
IsProcessorFeaturePresent, xrefs: 00423BDF

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f12c921f5fd64b11bdb0c36ca5c698a58493f93ababd91f61c6408f13851d5d8
Instruction ID: 7d87cd67580a8154b64bb9a0536dc1bb676679c55bbe3d1fe156cc616d992e98
Opcode Fuzzy Hash: f12c921f5fd64b11bdb0c36ca5c698a58493f93ababd91f61c6408f13851d5d8
Instruction Fuzzy Hash: 25C0125034022256E9202F717C0AF161B28BF00B07FD80062B419D01C1CFACD145547E

Function 0040C674 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(0041F3FB,00000000), ref: 0040C67A
ShellExecuteA.SHELL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\takyouhoymc.exe,00000001,00000000,00000001), ref: 0040C691
ExitProcess.KERNEL32 ref: 0040C699

Strings

C:\Users\user\AppData\Local\Temp\takyouhoymc.exe, xrefs: 0040C688

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CloseExecuteExitHandleProcessShell
String ID: C:\Users\user\AppData\Local\Temp\takyouhoymc.exe
API String ID: 994193230-1461836236
Opcode ID: 39c8a3a203cc93bba26eb6a24b4b94eeff2c464433a66f504b0ee0a69df1a9e2
Instruction ID: 70252b09c90ea14362a5bb8daab0397fce26917c22795f88bbac2379e06a643a
Opcode Fuzzy Hash: 39c8a3a203cc93bba26eb6a24b4b94eeff2c464433a66f504b0ee0a69df1a9e2
Instruction Fuzzy Hash: 08D0EA313C4300BBEA611B90AC0BF583A61AB04B53F648028FB05690E28EA55525DB2E

Function 0042055A Relevance: 6.2, APIs: 4, Instructions: 214stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,0042B724,?,?,76AF23A0), ref: 00420599
lstrlenA.KERNEL32(?,?,?,76AF23A0), ref: 004205A0
GetTickCount.KERNEL32 ref: 004205A8

Part of subcall function 0041F7DB: lstrlenA.KERNEL32(?,http://,?,?,0041FFE6,00000000,?,?,76AF0F00,?,00000000), ref: 0041F7E5

Part of subcall function 0041F547: GetTickCount.KERNEL32 ref: 0041F5B6

wsprintfA.USER32 ref: 00420731

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTicklstrlen$lstrcatwsprintf
String ID:
API String ID: 2515930562-0
Opcode ID: 53d18ddd1d0079a6accab1dce111c2adebd7c35cfd4130e015f70862a83a2607
Instruction ID: b992bff5f20849616ed4f97962bd2e59fa111d5ad7201b43100a5fdde584aae1
Opcode Fuzzy Hash: 53d18ddd1d0079a6accab1dce111c2adebd7c35cfd4130e015f70862a83a2607
Instruction Fuzzy Hash: F251A471344168AEDB10CA989C81FFA77ECFB5C740F94046BF240E61C2C699ED419B75

Function 00425E36 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000001,?,?), ref: 00425F2A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5cf5ec3bae8b33c1d780aa0061c0b2ae3875ea227d0fa74ca9e8dbcc2347a181
Instruction ID: cbbf35ce830668d8617e74e8338189c3f00814dde3f1405b234ef7302bc23b7f
Opcode Fuzzy Hash: 5cf5ec3bae8b33c1d780aa0061c0b2ae3875ea227d0fa74ca9e8dbcc2347a181
Instruction Fuzzy Hash: 52519E31B00698CFDB32CF68ED80BED7BB8AF45704F55012AD8959B251D7B49A01CF1A

Function 0041D70D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,00000000), ref: 0041D7AB
lstrcmpA.KERNEL32(00000000,?), ref: 0041D7F3
lstrlenA.KERNEL32(00000000), ref: 0041D800

Strings

http://, xrefs: 0041D777

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcmplstrcpylstrlen
String ID: http://
API String ID: 2559493007-1121587658
Opcode ID: c6be6e3f908fa445aba55a790cb8d7af42154762c880218be1c3ad3e43d882db
Instruction ID: a4590b9bd4e062a28cf3547bf00c85fa10a140c9781eeb4f36f1418112494057
Opcode Fuzzy Hash: c6be6e3f908fa445aba55a790cb8d7af42154762c880218be1c3ad3e43d882db
Instruction Fuzzy Hash: 6A415CB1A043019FD724EF29EC94BA6B7E4FB40715F14493EE865C2691E738E894CB89

Function 004200F9 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004201D8
Sleep.KERNEL32(000007D0), ref: 00420207

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

Strings

d, xrefs: 00420192
CHAT CREATE %s, xrefs: 004201D2

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountSleepTickwsprintf
String ID: CHAT CREATE %s$d
API String ID: 21340384-1393571586
Opcode ID: 6ff5e123241310e84f5d937806fdfd97bc892e57cf58ef5ee357e48b1a968bb9
Instruction ID: 9b9521ded8b57a1770c2347fc0122ac2a4d25d25d1d9837db78de688113ac97f
Opcode Fuzzy Hash: 6ff5e123241310e84f5d937806fdfd97bc892e57cf58ef5ee357e48b1a968bb9
Instruction Fuzzy Hash: 0941D430604744DFC720EF69D8859AAFBE1FF04304B55896FE08A87652CB39E894CB5E

Function 004209F1 Relevance: 6.1, APIs: 4, Instructions: 104stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F8B9: GetTickCount.KERNEL32 ref: 0041F92B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F966
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F985
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F990
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F99B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F9A2
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F9B2

lstrcmpiA.KERNEL32(?,?), ref: 00420A7A
lstrcpynA.KERNEL32(00000000,?,00000078,?,?,00000000), ref: 00420A90
GetTickCount.KERNEL32 ref: 00420AB3
Sleep.KERNEL32(000003E8,?,?,00000000), ref: 00420AF4

Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420325
Part of subcall function 004202CD: Sleep.KERNEL32(0000012C), ref: 00420331
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420366
Part of subcall function 004202CD: lstrlenA.KERNEL32(00000000,?,?,?,?,?), ref: 0042038A
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420393

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$lstrcat$lstrlen$Sleep$lstrcmpilstrcpyn
String ID:
API String ID: 4241744780-0
Opcode ID: 44883a3815d3073cb37bdfdc3f1f149689f61383e7c1f7321c827877c69c6c26
Instruction ID: 953f808e21a2c27c64224b74544a12e517f99e1642c298c3c56d582e38ba8767
Opcode Fuzzy Hash: 44883a3815d3073cb37bdfdc3f1f149689f61383e7c1f7321c827877c69c6c26
Instruction Fuzzy Hash: B031DD31B007289FDF30DFA4D845BEA77F5AF14304F90096EE912A6292DB78A949CB54

Function 004208C4 Relevance: 6.1, APIs: 4, Instructions: 102stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F8B9: GetTickCount.KERNEL32 ref: 0041F92B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F966
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F985
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F990
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F99B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F9A2
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F9B2

lstrcmpiA.KERNEL32(?,?), ref: 00420951
lstrcpynA.KERNEL32(00000000,?,00000078,?,?,00000000), ref: 00420967
GetTickCount.KERNEL32 ref: 0042098A
Sleep.KERNEL32(000003E8,?,?,00000000), ref: 004209D1

Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420325
Part of subcall function 004202CD: Sleep.KERNEL32(0000012C), ref: 00420331
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420366
Part of subcall function 004202CD: lstrlenA.KERNEL32(00000000,?,?,?,?,?), ref: 0042038A
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420393

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$lstrcat$lstrlen$Sleep$lstrcmpilstrcpyn
String ID:
API String ID: 4241744780-0
Opcode ID: a5797a3337ac284f49606b989114822fa8f6a7677816d38e25a2feba24009512
Instruction ID: e1c63eb699c4a579d3e53cbe12f8c53483fa5a3500a6c19c00d829c2c369af7d
Opcode Fuzzy Hash: a5797a3337ac284f49606b989114822fa8f6a7677816d38e25a2feba24009512
Instruction Fuzzy Hash: D331E371B003289FEF20CF64D805BEB77E4AF04314F50096EE95696293DB789989CB54

Function 0042079E Relevance: 6.1, APIs: 4, Instructions: 100stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F8B9: GetTickCount.KERNEL32 ref: 0041F92B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F966
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F985
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F990
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F99B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F9A2
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F9B2

lstrcmpiA.KERNEL32(?,?), ref: 00420827
lstrcpynA.KERNEL32(00000000,?,00000078,?,?,00000000), ref: 0042083D
Sleep.KERNEL32(000003E8,?,?,00000000), ref: 0042087F
GetTickCount.KERNEL32 ref: 0042089F

Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420325
Part of subcall function 004202CD: Sleep.KERNEL32(0000012C), ref: 00420331
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420366
Part of subcall function 004202CD: lstrlenA.KERNEL32(00000000,?,?,?,?,?), ref: 0042038A
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420393

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$lstrcat$lstrlen$Sleep$lstrcmpilstrcpyn
String ID:
API String ID: 4241744780-0
Opcode ID: 9392b36242cc7ed13ec57d78c28b336a9ef2289a1b2e8936bea960e985ed45cd
Instruction ID: 42656bc9f5e024d0354263a5112524b3942502546d307857efd8012ea829e0b8
Opcode Fuzzy Hash: 9392b36242cc7ed13ec57d78c28b336a9ef2289a1b2e8936bea960e985ed45cd
Instruction Fuzzy Hash: DB31E131B003289FDF20DF64DC45BEB77E8BF04304F4009AEE916E6252DBB899498B94

Function 004291EF Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00424F32: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00424F4C
Part of subcall function 00424F32: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00424F5D
Part of subcall function 00424F32: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 00424FA3

MultiByteToWideChar.KERNEL32(76AF0F00,00000001,00000000,?,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 00429232
MultiByteToWideChar.KERNEL32(76AF0F00,00000009,776AC310,00000000,00000000,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 0042924F
MultiByteToWideChar.KERNEL32(76AF0F00,00000001,776AC310,00000000,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 004292C5
CompareStringW.KERNEL32(?,00422306,?,00000000,?,00000000,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 004292DB

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
String ID:
API String ID: 1997773198-0
Opcode ID: fb35f81421f692068891776308fa5d31242e05a5f257596bc3c7b8f33c9911f2
Instruction ID: ae47bed5f32cbe4aa223ba5e2d21f9e998b1d44a72276bfa51ed39dd79f559bf
Opcode Fuzzy Hash: fb35f81421f692068891776308fa5d31242e05a5f257596bc3c7b8f33c9911f2
Instruction Fuzzy Hash: 3331AF32A00229EBCF21DF95EC45BDEBF76EF44724FA1011AF814A61A0CB788D51CB58

Function 00406655 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

CreateFileA.KERNEL32(00406810,40000000,00000002,00000000,00000004,00000080,00000000,76AE8A60,?,00406810,?), ref: 004066A1
GetTickCount.KERNEL32 ref: 004066AA
WriteFile.KERNEL32(000000FF,?,00001000,00406810,00000000,75D36610,00000000,?,00406810), ref: 004066F4
CloseHandle.KERNEL32(000000FF,?,00406810), ref: 00406706

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandle$CountSizeTickWrite
String ID:
API String ID: 1977331138-0
Opcode ID: 75411ad5c477393b6fdeb7caef021b528b0a5ab15cfd8a9bf23aa59ee7e7a4d7
Instruction ID: 4f04a93556094e34b3a37cb498cd4860a69bac382634e6e20e0837a594e2ce7d
Opcode Fuzzy Hash: 75411ad5c477393b6fdeb7caef021b528b0a5ab15cfd8a9bf23aa59ee7e7a4d7
Instruction Fuzzy Hash: 17113B32E00214ABDB216BA8DC42BDD3A29EF40769F010177FD05B71E1CA759E918698

Function 0041723B Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0041725B
GetClientRect.USER32(?,?), ref: 00417266
GetWindowInfo.USER32(?,?), ref: 00417271
GetWindow.USER32(?,00000005), ref: 0041729C

Part of subcall function 00417125: GetWindow.USER32(?,00000000), ref: 00417139
Part of subcall function 00417125: GetWindowPlacement.USER32(00000000,?,?,?,?), ref: 00417156
Part of subcall function 00417125: GetClassNameA.USER32(00000000,00000000,00000080), ref: 00417180
Part of subcall function 00417125: IsWindowVisible.USER32(00000000), ref: 004171C7
Part of subcall function 00417125: IsWindowEnabled.USER32(00000000), ref: 004171D2
Part of subcall function 00417125: GetWindow.USER32(00000000,00000005), ref: 004171F8
Part of subcall function 00417125: GetWindow.USER32(00000000,00000002), ref: 00417226

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Window$Rect$ClassClientEnabledInfoNamePlacementVisible
String ID:
API String ID: 958396790-0
Opcode ID: 451f102180915608758762e81bcc6ea204a602677e2a5c43edadebfc5579c894
Instruction ID: b977da9bbf90926a89ef85ef9d4faa28d65c36069d63d0f58ffc69ee64d48ea3
Opcode Fuzzy Hash: 451f102180915608758762e81bcc6ea204a602677e2a5c43edadebfc5579c894
Instruction Fuzzy Hash: 7D110A72A0051AAFCF04DFA8DD45AEF7BB9FF45304F104069F901A7280D771AA168BA5

Function 004126AE Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004126D4
GetTickCount.KERNEL32 ref: 004126F4
GetTickCount.KERNEL32 ref: 00412706
Sleep.KERNEL32(00001388), ref: 00412727

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 927089b9a521020d12e607415fbab0d40aa0b1844df1ff430aeeb4e75aa2d9aa
Instruction ID: c9d6b92abd626ca5db185230e959bef37719a4ae52968149ec7b4f218e17ecc5
Opcode Fuzzy Hash: 927089b9a521020d12e607415fbab0d40aa0b1844df1ff430aeeb4e75aa2d9aa
Instruction Fuzzy Hash: 590161708047809AEF30AB30D6444ABBB909F113507498D5FD4E6E26D1D79DACE89B5A

Function 00415CFE Relevance: 6.0, APIs: 4, Instructions: 42filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00415D21
lstrlenA.KERNEL32(?,00000000,00000000), ref: 00415D58
WriteFile.KERNEL32(00000000,?,00000000), ref: 00415D67
CloseHandle.KERNEL32(00000000), ref: 00415D6E

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: 751aca115ca30a0691fde6439a8cb51a404cb0d25d1dc1366fcd9267d9eefbed
Instruction ID: c9399c30415d5887cf24083e5581c53b54ef4251420ccb471ea54a3b1316dc9a
Opcode Fuzzy Hash: 751aca115ca30a0691fde6439a8cb51a404cb0d25d1dc1366fcd9267d9eefbed
Instruction Fuzzy Hash: F9F0C872744108BBD7209760EC4EFFB367CA744B15F900571FA01E50C0D7745A559B29

Function 004172D4 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(004153D7,00000200,004153D7,?), ref: 004172FA
PostMessageA.USER32(004153D7,00000021,004153D7,02040001), ref: 00417305
PostMessageA.USER32(004153D7,00000201,00000001,?), ref: 00417310
PostMessageA.USER32(004153D7,00000202,00000001,?), ref: 0041731B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7c15f197f06ad4af64c7e4a50c373954960f06710e255eec9a3b5d27e1103e77
Instruction ID: 2737aa16c3ff472dc59428932faf493f836c28255a8283cd38114ac1b539a4e7
Opcode Fuzzy Hash: 7c15f197f06ad4af64c7e4a50c373954960f06710e255eec9a3b5d27e1103e77
Instruction Fuzzy Hash: E3F012722413287AEA205A6A9CC9ECB7B1DEB85764F024511FA187718285B5A8148AB0

Function 0041611C Relevance: 6.0, APIs: 4, Instructions: 36stringnetworkCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00459C70,?,004169E4,?,?,0000076C,?), ref: 0041612D
lstrcpyA.KERNEL32(?,?,?,004169E4,?,?,0000076C,?), ref: 0041613F
htons.WS2_32 ref: 0041615E
sendto.WS2_32(?,?,00000000,00000000,00000002,00000010), ref: 00416181

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: htonslstrcpylstrlensendto
String ID:
API String ID: 4028827002-0
Opcode ID: ada5a819c4780d407ae664290336f1a96f003a884f285d8cd3a884cb3c6307ef
Instruction ID: 24cd2ecbbff7c42d4baa1b946ab2aa8548660ea003772a9b4aab4a1b122aa4a3
Opcode Fuzzy Hash: ada5a819c4780d407ae664290336f1a96f003a884f285d8cd3a884cb3c6307ef
Instruction Fuzzy Hash: 83F0317690021DABCF10EF90EC09BDE77BCFF04300F408465FD15A21A1DB7496618B66

Function 004140CA Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
SHGetMalloc.SHELL32(?), ref: 004140F2
lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: FolderFromListLocationMallocPathSpeciallstrcat
String ID:
API String ID: 184925564-0
Opcode ID: c5650b9585e189a1aad39bfab654fba963a07972d6129a42c432e7bc8104cf66
Instruction ID: 4893c9fcd2a20e39af297159af48713977b3e8e57404a87c3b1fccec64a73e85
Opcode Fuzzy Hash: c5650b9585e189a1aad39bfab654fba963a07972d6129a42c432e7bc8104cf66
Instruction Fuzzy Hash: D0F0E275600219FFCB109F94DC08A9A7BA8EF09315F1080A4FD05D7250D675AA12CBA6

Function 0041D048 Relevance: 6.0, APIs: 4, Instructions: 28stringwindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
lstrlenA.KERNEL32(?), ref: 0041D066
SendMessageA.USER32(0000004A,00000000), ref: 0041D082
LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageSendlstrlen
String ID:
API String ID: 2615675618-0
Opcode ID: 7c74f56ab4b2f4d99c8cf02e5dac5e513ef1ef44eafc1b19ff3713757b601000
Instruction ID: 04bdf258bc530c0cdee2ac19c1b7621b2973c0a551cbe2d9e9c14f2e41fc7480
Opcode Fuzzy Hash: 7c74f56ab4b2f4d99c8cf02e5dac5e513ef1ef44eafc1b19ff3713757b601000
Instruction Fuzzy Hash: 59F08271900304EBCB119FA4EC08B9E7BB8EB09302F008075ED16E2161D73486559BAE

Function 00415497 Relevance: 6.0, APIs: 4, Instructions: 23sleepwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004154A0

Part of subcall function 00415285: SetForegroundWindow.USER32(?), ref: 00415292
Part of subcall function 00415285: SetForegroundWindow.USER32(?), ref: 00415295
Part of subcall function 00415285: SetForegroundWindow.USER32(?), ref: 00415298
Part of subcall function 00415285: SetForegroundWindow.USER32(?), ref: 0041529B
Part of subcall function 00415285: SetForegroundWindow.USER32(?), ref: 0041529E
Part of subcall function 00415285: Sleep.KERNEL32(00000064,?,?,00415396,?), ref: 004152A2

SetFocus.USER32(?), ref: 004154B0
Sleep.KERNEL32(00000064), ref: 004154B8

Part of subcall function 00414F30: SendInput.USER32(00000001,?,0000001C), ref: 00414F69
Part of subcall function 00414F30: SendInput.USER32(00000001,?,0000001C), ref: 00414F8F
Part of subcall function 00414F30: SendInput.USER32(00000001,?,0000001C), ref: 00414FB5
Part of subcall function 00414F30: Sleep.KERNEL32(00000064), ref: 00414FB9
Part of subcall function 00414F30: SendInput.USER32(00000001,?,0000001C), ref: 00414FE7
Part of subcall function 00414F30: SendInput.USER32(00000001,?,0000001C), ref: 00415011
Part of subcall function 00414F30: SendInput.USER32(00000001,?,0000001C), ref: 0041503B

Sleep.KERNEL32(00000064), ref: 004154C1

Part of subcall function 004139A0: IsClipboardFormatAvailable.USER32(00000001), ref: 004139A3
Part of subcall function 004139A0: OpenClipboard.USER32(00000000), ref: 004139AF
Part of subcall function 004139A0: GetClipboardData.USER32(00000001), ref: 004139BB
Part of subcall function 004139A0: CloseClipboard.USER32 ref: 004139C7

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: InputSend$ForegroundSleepWindow$Clipboard$AvailableCloseDataFocusFormatOpen
String ID:
API String ID: 3330334153-0
Opcode ID: 83504add1d1dedb3060f3dacfa7b4d1322a3a36fe359fba6de55aa8246b620a7
Instruction ID: dee85f7f1a3561ffc2b023e0868ec920ac2daafd16a2ad31e82ed3c30e12405c
Opcode Fuzzy Hash: 83504add1d1dedb3060f3dacfa7b4d1322a3a36fe359fba6de55aa8246b620a7
Instruction Fuzzy Hash: 0FE08632A583126FD5053BA1EC06A9E3F51DF80360F00046BF204440E4CE7654A28A5E

Function 004218D6 Relevance: 6.0, APIs: 4, Instructions: 20sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004218F5
EnterCriticalSection.KERNEL32(0045A330), ref: 00421905
EnumWindows.USER32(Function_0002108F,00000000), ref: 00421912
Sleep.KERNEL32(0000000F), ref: 0042191A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Sleep$CriticalEnterEnumSectionWindows
String ID:
API String ID: 2151141519-0
Opcode ID: 73382d69a21fc8b10e3f2b6feb81f70276a3830f2d7b93a82bb811b2617987ba
Instruction ID: d93265669e9007938a92f4f787627f2676029b5fa9748b48d493c5193711b42f
Opcode Fuzzy Hash: 73382d69a21fc8b10e3f2b6feb81f70276a3830f2d7b93a82bb811b2617987ba
Instruction Fuzzy Hash: 5AE01234BC8365B7E5206791BC4BB2626109B1AF16FE04033BE05251F189ED1576DBAF

Function 0041C62E Relevance: 6.0, APIs: 4, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0045A330), ref: 0041C635
EnumWindows.USER32(Function_0001C4C8,00000000), ref: 0041C644
Sleep.KERNEL32(0000000A), ref: 0041C64C
LeaveCriticalSection.KERNEL32(0045A330), ref: 0041C663

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSection$EnterEnumLeaveSleepWindows
String ID:
API String ID: 2330576054-0
Opcode ID: d89c22c42e57aabd3498cbb19ec627ac84339c1964f242cdbe1cc6d0312297bb
Instruction ID: dcee21a05d3045d363dcd02448f6caa3d6531bcd56cca3f8a45e9d0838230e62
Opcode Fuzzy Hash: d89c22c42e57aabd3498cbb19ec627ac84339c1964f242cdbe1cc6d0312297bb
Instruction Fuzzy Hash: C0E01D31655210DBD3105750BC0DBD53754BB26727F515177F905901A0C7780D73CAAF

Function 00424A43 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00424A5F

Strings

, xrefs: 00424A86
, xrefs: 00424AAD

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: feac7f76dc94b5783e4b3582f96ef2564f4ba6abda2b2c6b5d659883fdff4339
Instruction ID: 33b27815b10cd5ae0d9f75d352e8626930fb2950cd5553c77a0905c978949869
Opcode Fuzzy Hash: feac7f76dc94b5783e4b3582f96ef2564f4ba6abda2b2c6b5d659883fdff4339
Instruction Fuzzy Hash: F2418B302002786EEF158B64FC59BFA7FE8EF86300F5404E2D545C7192D6A89A85CB9D

Function 00427197 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,776AC310,02160CA8,C:\Windows\system32\,?,?,?,004240FE,776AC310), ref: 004271BF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,004240FE,776AC310,C:\Windows\system32\,76AF0F00,00422306), ref: 004271E2

Strings

C:\Windows\system32\, xrefs: 0042719C

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: C:\Windows\system32\
API String ID: 626452242-1520839452
Opcode ID: b6d2fbc5a7950e7220097fdfe06a27bff97ae25d781c094df7e0fdd367205ce7
Instruction ID: 9976f3b9e9c515abf8fe5d525c105cf3f8f804c2e02001ad50b0d814c6acf228
Opcode Fuzzy Hash: b6d2fbc5a7950e7220097fdfe06a27bff97ae25d781c094df7e0fdd367205ce7
Instruction Fuzzy Hash: BA11547170A135FA9B21DAA6BC44C9FBFACEE057B47600597F514E2290DB349D00D6B8

Function 0041BD1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 0041BD31
GetClassNameA.USER32(?,?,00000064), ref: 0041BD78

Strings

tSkMainForm., xrefs: 0041BD81

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ClassNameProcessThreadWindow
String ID: tSkMainForm.
API String ID: 2910564809-1686697352
Opcode ID: c0996536efc8a268fa7003f78edd98bd0af715f5713e0dc792ad712e708df12d
Instruction ID: d7fda74a93f7a17c98ac35d37922188cbf33932d92a6ec5a3ef396d887f97dae
Opcode Fuzzy Hash: c0996536efc8a268fa7003f78edd98bd0af715f5713e0dc792ad712e708df12d
Instruction Fuzzy Hash: CD11A5326143099FEB24DF78EC45BEE77E8EB05304F208026F921D2261E774D555CBA6

Function 00425DAA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,;/B,00000000,00000000,?,?,?,00422ED1,?,00000000,00000002,?,?,00000000,?,00422F3B), ref: 00425DED
GetLastError.KERNEL32 ref: 00425DFA

Strings

;/B, xrefs: 00425DE8

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: ;/B
API String ID: 2976181284-1571933106
Opcode ID: 51b5db301dd2dd0cdb45fe7147b99e41ff3a2e1b340a18d94c7725a81c000008
Instruction ID: 6d547dc73a785259a919e0abce46a1d08874d946646b1649345a307199c2f05a
Opcode Fuzzy Hash: 51b5db301dd2dd0cdb45fe7147b99e41ff3a2e1b340a18d94c7725a81c000008
Instruction Fuzzy Hash: F6014531714A615BC710DF78FC5862637A49B00335FA10B2EF422CB1E1EBB8CE15870A

Function 0041C118 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004140CA: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
Part of subcall function 004140CA: SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
Part of subcall function 004140CA: SHGetMalloc.SHELL32(?), ref: 004140F2
Part of subcall function 004140CA: lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

lstrcatA.KERNEL32(00000000,Skype), ref: 0041C15A

Part of subcall function 00406718: Sleep.KERNEL32(?,76AF23A0,00000011), ref: 00406726
Part of subcall function 00406718: wsprintfA.USER32 ref: 00406741
Part of subcall function 00406718: FindFirstFileA.KERNEL32(?,?), ref: 00406754
Part of subcall function 00406718: wsprintfA.USER32 ref: 00406798
Part of subcall function 00406718: FindNextFileA.KERNEL32(00000000,00000010), ref: 00406820
Part of subcall function 00406718: FindClose.KERNEL32(00000000), ref: 00406830

lstrcatA.KERNEL32(00000000,Skype), ref: 0041C185

Part of subcall function 00406718: lstrcpyA.KERNEL32(?,00000028,00000000), ref: 004067BB
Part of subcall function 00406718: lstrcatA.KERNEL32(?,0042A3B0), ref: 004067CD
Part of subcall function 00406718: lstrcatA.KERNEL32(?,?), ref: 004067DD
Part of subcall function 00406718: SetFileAttributesA.KERNEL32(?,00000080), ref: 004067F8

Strings

Skype, xrefs: 0041C14D, 0041C152, 0041C17D

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrcat$FileFind$wsprintf$AttributesCloseFirstFolderFromListLocationMallocNextPathSleepSpeciallstrcpy
String ID: Skype
API String ID: 2716033973-477203962
Opcode ID: f6e372764f2739d3fa2bda75dc2356e30d339903e385cd2196b87c1aa44673b1
Instruction ID: c1a38189545c508915f4712d1c6320414e78e6e9c0f6af7b9b33ec3efcade0da
Opcode Fuzzy Hash: f6e372764f2739d3fa2bda75dc2356e30d339903e385cd2196b87c1aa44673b1
Instruction Fuzzy Hash: 6101A777E4821866DB60D6559C06FC677AC8794714F0004E6B688E70C0EAF4A6C58EA6

Function 004112DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041133D

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Strings

, xrefs: 0041132E
(, xrefs: 0041131B

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: Heap$BitsFreeProcess
String ID: $(
API String ID: 2731446349-55695022
Opcode ID: 2632ad87318b3fcf4a1b5c358fd7aa1ffc99cc22d3695258e023486a58b0e553
Instruction ID: 4904ecbf025400fe124500fb1229366758f519bf40d44cf8624181d92b3334f2
Opcode Fuzzy Hash: 2632ad87318b3fcf4a1b5c358fd7aa1ffc99cc22d3695258e023486a58b0e553
Instruction Fuzzy Hash: 790148B5E00219ABCF109FA6D8498DFBFB8EF88754F00801AF914B6250D7749665CBE9

Function 004156F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 00415701
GetWindowTextA.USER32(?,?,00000078), ref: 00415711

Strings

Twitter, xrefs: 0041571A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: SleepTextWindow
String ID: Twitter
API String ID: 1325625986-3654763050
Opcode ID: 064e06eff7cba56788296dd554277bd5bcdb24fe66745113e8d5994929ac3a61
Instruction ID: 2a0e3f0a641bcea6516841aa513571c01fddd2f65c57e64924d831f9732283cf
Opcode Fuzzy Hash: 064e06eff7cba56788296dd554277bd5bcdb24fe66745113e8d5994929ac3a61
Instruction Fuzzy Hash: 0DF02271A04114EFDB10DB60D84AEEA7BA8FF04304F50806BF815C72D1EB38E885C759

Function 0041BDA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041425E: lstrlenA.KERNEL32(?), ref: 0041426F
Part of subcall function 0041425E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041427A

EnumWindows.USER32(0041BD1B,00000000), ref: 0041BDD7
Sleep.KERNEL32(00003A98), ref: 0041BDE8

Strings

skype.exe, xrefs: 0041BDB0

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CreateEnumSleepSnapshotToolhelp32Windowslstrlen
String ID: skype.exe
API String ID: 568560734-1432977592
Opcode ID: 195c3d88171c88d8f7043fcc9466e7f6e64139ac7150497d749be01f041bee4e
Instruction ID: 026ce47b98fb0bb3bc023706c8bb28edd12f1aeb61dc9ca88d7459c219cc4209
Opcode Fuzzy Hash: 195c3d88171c88d8f7043fcc9466e7f6e64139ac7150497d749be01f041bee4e
Instruction Fuzzy Hash: 2AE02B707883487BDB508360BC077CA3BD8C745709F440096B801A12C2D3A9455A87AA

Function 0041456F Relevance: 5.1, APIs: 4, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?), ref: 00414580
lstrlenA.KERNEL32(?), ref: 00414589
lstrlenA.KERNEL32(00000001), ref: 00414642
lstrlenA.KERNEL32(00000001), ref: 0041464A

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID:
API String ID: 805584807-0
Opcode ID: 42776acb7bce5c27189888d2a9de8f8945e830438a7174f3204c5183a69b064c
Instruction ID: 96f37f27a1d7b8f444bb90a79290ca923e7c0fa8b5e68154ea7ad4550ee58f52
Opcode Fuzzy Hash: 42776acb7bce5c27189888d2a9de8f8945e830438a7174f3204c5183a69b064c
Instruction Fuzzy Hash: 8A2109759011596AC760EBB9AD45ECFBAB8DFC234CF64007BE804E2302D65CC98483BE

Function 004277BE Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,76AF0A60,00427DAF,76AF0A60,?), ref: 004277E5
HeapAlloc.KERNEL32(00000008,000041C4,00000000,76AF0A60,00427DAF,76AF0A60,?), ref: 0042781E
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0042783C
HeapFree.KERNEL32(00000000,?), ref: 00427853

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: d135cb4e0b7d26a06ac5bb90502da04306d4e935439ad1e294e4bac729d4f9a3
Instruction ID: 60f43418b8eae798e520781b2bf5e10e5e109c30edcb60b24f9c49ec37ffbfdf
Opcode Fuzzy Hash: d135cb4e0b7d26a06ac5bb90502da04306d4e935439ad1e294e4bac729d4f9a3
Instruction Fuzzy Hash: F2118F303046519FC7319F29FC49922BBB5FB81362F90463AF562D35B0E3B09956CB4A

Function 00402587 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0044F79C), ref: 00402591
LeaveCriticalSection.KERNEL32(0044F79C), ref: 004025B3
LeaveCriticalSection.KERNEL32(0044F79C), ref: 004025CB

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: b30226d69d6c95a009fbb70f1d4c4ea9603497d6b275be95153cdd82f531740d
Instruction ID: 3653cf5cc612b0023f781b6b4dba6d175b77ea69c2ca912229ac705fca8a1e44
Opcode Fuzzy Hash: b30226d69d6c95a009fbb70f1d4c4ea9603497d6b275be95153cdd82f531740d
Instruction Fuzzy Hash: 67F0A431105210FFDB106F24ED1D85A3BA8FF463657504037FC05E22D0EFB9AA12A66D

Function 004144C0 Relevance: 5.0, APIs: 4, Instructions: 32stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0044F79C,00000000,?,00411555,00000000,0044F79C,0000000C,0044F79C,0041159B,?), ref: 004144D0
lstrcmpA.KERNEL32(00000000,0044F79C,00000000,?,00411555,00000000,0044F79C,0000000C,0044F79C,0041159B,?), ref: 004144DC
lstrlenA.KERNEL32(0044F79C,?,00411555,00000000,0044F79C,0000000C,0044F79C,0041159B,?), ref: 004144F1
lstrcpyA.KERNEL32(00000000,0044F79C,?,00411555,00000000,0044F79C,0000000C,0044F79C,0041159B,?), ref: 00414505

Memory Dump Source

Source File: 00000002.00000002.207849004523.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.207848960982.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849081345.000000000042A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849121035.000000000042E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849173551.0000000000448000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849211320.0000000000449000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.000000000044E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000458000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000463000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.207849251119.0000000000465000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_takyouhoymc.jbxd

Similarity

API ID: lstrlen$lstrcmplstrcpy
String ID:
API String ID: 3985954171-0
Opcode ID: 00f4a7b12345b7478585a4820a68565f009b8fdd1a8706a2b7f12ee67cc71e5c
Instruction ID: 7cd2a430f1160ec2a51e39b2ae96134d5fee5d311598402a0e4aec16addf71a8
Opcode Fuzzy Hash: 00f4a7b12345b7478585a4820a68565f009b8fdd1a8706a2b7f12ee67cc71e5c
Instruction Fuzzy Hash: B2F01271200105EFEF216FA5DD099A67BACEF00325710442AFC95D7211DB79E9A1CA69

Analysis Process: zjisvko.exePID: 7864, Parent PID: 4740COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1904
Total number of Limit Nodes:	69

Executed Functions

Function 0040C7E0 Relevance: 121.3, APIs: 67, Strings: 2, Instructions: 588
registrystringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040C812
lstrcpyA.KERNEL32(?,00000000), ref: 0040C865
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040C895
lstrlenA.KERNEL32(?), ref: 0040C8A8
RegSetValueExA.KERNELBASE(?,Shell,00000000,00000001,?,00000000), ref: 0040C8BD
RegCloseKey.KERNEL32(?), ref: 0040C8C6
Sleep.KERNEL32(00000064), ref: 0040C8CE
lstrlenA.KERNEL32(?), ref: 0040C932
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040C949
RegCloseKey.KERNEL32(?), ref: 0040C952
Sleep.KERNEL32(00000064), ref: 0040C95A
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040C986
lstrcatA.KERNEL32(?,0042A778), ref: 0040C9C3
Sleep.KERNEL32(00000064), ref: 0040C9CB
lstrlenA.KERNEL32(?), ref: 0040C9D4
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040C9EB
RegCloseKey.KERNEL32(?), ref: 0040C9F4
Sleep.KERNEL32(00000064), ref: 0040C9FC
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CA28
lstrlenA.KERNEL32(?), ref: 0040CA60
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CA77
RegCloseKey.KERNEL32(?), ref: 0040CA80
Sleep.KERNEL32(00000064), ref: 0040CA88
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CAB4
lstrlenA.KERNEL32(?), ref: 0040CAEC
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CB03
RegCloseKey.KERNEL32(?), ref: 0040CB0C
Sleep.KERNEL32(00000064), ref: 0040CB14
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CB40
lstrcatA.KERNEL32(?,0042A778), ref: 0040CB7D
lstrlenA.KERNEL32(?), ref: 0040CB8A
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CBA1
RegCloseKey.KERNEL32(?), ref: 0040CBAA
Sleep.KERNEL32(00000064), ref: 0040CBB2
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040CBC0
lstrlenA.KERNEL32(?), ref: 0040CBCD
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CC03
lstrlenA.KERNEL32(?), ref: 0040CC36
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CC4D
RegCloseKey.KERNEL32(?), ref: 0040CC56
Sleep.KERNEL32(00000064), ref: 0040CC5E
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CC8A
lstrcatA.KERNEL32(?,0042A778), ref: 0040CCC3
lstrlenA.KERNEL32(?), ref: 0040CCD0
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CCE7
RegCloseKey.KERNEL32(?), ref: 0040CCF0
Sleep.KERNEL32(00000064), ref: 0040CCF8
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 0040CD24
lstrlenA.KERNEL32(?), ref: 0040CD58
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CD6F
RegCloseKey.KERNEL32(?), ref: 0040CD78
Sleep.KERNEL32(00000064), ref: 0040CD80
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0040C8FA

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

Part of subcall function 0040C7B4: lstrcatA.KERNEL32(76AF0F00,.exe,76AF0F00,0040CE0C,?,?,-00000004), ref: 0040C7D6

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040CD9B
lstrlenA.KERNEL32(?), ref: 0040CDA8
Sleep.KERNEL32(00000064), ref: 0040CDB6
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CDE2
lstrlenA.KERNEL32(?), ref: 0040CE16
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CE2D
RegCloseKey.KERNEL32(?), ref: 0040CE36
Sleep.KERNEL32(00000064), ref: 0040CE3E
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,?,00000000), ref: 0040CE6A
lstrcatA.KERNEL32(?,0042A778), ref: 0040CEA3
lstrlenA.KERNEL32(?), ref: 0040CEB0
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 0040CEC7
RegCloseKey.KERNEL32(?), ref: 0040CED0
Sleep.KERNEL32(00000064), ref: 0040CED8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040CBB4, 0040CD8F
Shell, xrefs: 0040C8B5

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen$Sleep$CloseCreateValue$lstrcat$lstrcpy$CountTick
String ID: C:\Users\user\AppData\Local\Temp\$Shell
API String ID: 2961240498-2765105148
Opcode ID: 7404fc93447d8bf64e56304fcf3f363a38a5c7cd9712ee1ee70b377c33cd25fb
Instruction ID: 90de6ba1451ff6c394c1e8d4d076b74571b15df8ac0f0f587aead68d2d5e9081
Opcode Fuzzy Hash: 7404fc93447d8bf64e56304fcf3f363a38a5c7cd9712ee1ee70b377c33cd25fb
Instruction Fuzzy Hash: F2123DB2D4021CBFEB21EB90DC8AFEA777DEB44305F1004BAB605A5051EEB45F948E65

Function 00412FDD Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 336
sleepstringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00412FF4
GetTickCount.KERNEL32 ref: 00412FF6
GetTickCount.KERNEL32 ref: 0041304E
GetTickCount.KERNEL32 ref: 0041307A
GetTickCount.KERNEL32 ref: 004130E4
GetTickCount.KERNEL32 ref: 0041312D
GetTickCount.KERNEL32 ref: 00413150
GetTickCount.KERNEL32 ref: 004131AA
Sleep.KERNEL32(00000003), ref: 004131D0
GetTickCount.KERNEL32 ref: 004131E8
lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\), ref: 00413218
lstrlenA.KERNEL32(00000000,00000027), ref: 00413227
GetTickCount.KERNEL32 ref: 00413249
Sleep.KERNEL32(00000064), ref: 00413255
GetTickCount.KERNEL32 ref: 004132AE

Part of subcall function 004015BB: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,76AF23A0), ref: 004015F4
Part of subcall function 004015BB: ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040160B
Part of subcall function 004015BB: CloseHandle.KERNEL32(00000000), ref: 00401612

GetTickCount.KERNEL32 ref: 00413321
GetTickCount.KERNEL32 ref: 00413342
Sleep.KERNEL32(000000FD), ref: 0041336A
Sleep.KERNEL32(0000EA60), ref: 00413378
InternetGetConnectedState.WININET(?,00000000), ref: 0041337F
GetTickCount.KERNEL32 ref: 004133E3
GetTickCount.KERNEL32 ref: 00413406

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0041320C
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0041302D, 004131EF

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountTick$Sleep$File$CloseConnectedCreateHandleInternetReadStatelstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 2589685863-1343724464
Opcode ID: dcb2bc8a0933efe07fedba4657b0612ce8228edf4dafa6e5b63ad683bb14c1b8
Instruction ID: b377c5010cb92b842955c200201b203a8470812258737c0f6d08faac805126b8
Opcode Fuzzy Hash: dcb2bc8a0933efe07fedba4657b0612ce8228edf4dafa6e5b63ad683bb14c1b8
Instruction Fuzzy Hash: DCC1D131804349DADB21EFA4D9457EEBBB0AB05316F24046FD814A3292DBBC9EC5C75E

Function 004121EB Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 403
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(00003EE0), ref: 00412263
socket.WS2_32(00000002,00000001,00000000), ref: 0041228F
closesocket.WS2_32(00000000), ref: 004122A0
bind.WS2_32(00000000,?,00000010), ref: 004122B4
closesocket.WS2_32(00000000), ref: 00412699

Strings

GET , xrefs: 004125E7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: closesocket$bindhtonssocket
String ID: GET
API String ID: 1339886155-3027191851
Opcode ID: 7ccfd6f5997ca50ce5dc6db67e99f9f710f04afa0fa3745a461eff4530263eaa
Instruction ID: d311fc27eb13a375107f39839a4af2a922eccf7441768b3d5e47e018ee900ff6
Opcode Fuzzy Hash: 7ccfd6f5997ca50ce5dc6db67e99f9f710f04afa0fa3745a461eff4530263eaa
Instruction Fuzzy Hash: 99D11471910214EFCF149F64ED88AEE77B8FB09355F10012BE516E2291DBB89DA1CB2D

Function 0041C19E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 258
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 0041C1BB
GetTickCount.KERNEL32 ref: 0041C1CB
Sleep.KERNEL32(skype.exe), ref: 0041C1E8
GetTickCount.KERNEL32 ref: 0041C1EA
GetTickCount.KERNEL32 ref: 0041C270
Sleep.KERNEL32(00002710), ref: 0041C29E
Sleep.KERNEL32(000003E8), ref: 0041C2A7
GetTickCount.KERNEL32 ref: 0041C2BD
Sleep.KERNEL32(000003E7), ref: 0041C2DF
GetTickCount.KERNEL32 ref: 0041C2E1
Sleep.KERNEL32(00007530), ref: 0041C303
Sleep.KERNEL32(00001388), ref: 0041C318
Sleep.KERNEL32(0000EA60), ref: 0041C327

Part of subcall function 00414776: EnumWindows.USER32(0041470D,00000000), ref: 00414780

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

InitializeCriticalSection.KERNEL32(0045A330), ref: 0041C372
InitializeCriticalSection.KERNEL32(00463AB4), ref: 0041C379
InitializeCriticalSection.KERNEL32(0045B020), ref: 0041C380
Sleep.KERNEL32(000003E8), ref: 0041C387
CreateThread.KERNEL32(00000000,00000000,0041C62E,00000000,00000000,00000000), ref: 0041C4AC
CreateThread.KERNEL32(00000000,00000000,004218D6,00000000,00000000,00000000), ref: 0041C4B8
Sleep.KERNEL32(000001F4), ref: 0041C4C4

Strings

skype.exe, xrefs: 0041C1D7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$CountTick$CriticalInitializeSection$CreateThread$EnumWindows
String ID: skype.exe
API String ID: 147955496-1432977592
Opcode ID: b18f0ede664f73b0f0952701a09adeefa0eeb19875e95bee723ef58539dce3fe
Instruction ID: da50cea28471ff58dfe6edcfae1584a9064ff1a257102cfc2779c5ee05b94594
Opcode Fuzzy Hash: b18f0ede664f73b0f0952701a09adeefa0eeb19875e95bee723ef58539dce3fe
Instruction Fuzzy Hash: D77129B09C8358BEE620A7619CC2BFB375CE70675AF04056BB90956183D77C8CC58A6F

Function 004092D5 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 114stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,?,00000000), ref: 004092E3
wsprintfA.USER32 ref: 00409304

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

wsprintfA.USER32 ref: 00409318
FindFirstFileA.KERNEL32(?,?), ref: 0040932F
wsprintfA.USER32 ref: 00409379
lstrcpyA.KERNEL32(?,00000026), ref: 004093C7
lstrcatA.KERNEL32(?,0042A3B0), ref: 004093D5
lstrcatA.KERNEL32(?,?), ref: 004093E5
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00409414
FindClose.KERNEL32(00000000), ref: 00409427
lstrcpyA.KERNEL32(?,?), ref: 0040943E

Strings

%s\%s*, xrefs: 004092FE
%s\%s, xrefs: 00409373
.exe, xrefs: 004093AC
%s\*, xrefs: 00409312
., xrefs: 00409356

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Findwsprintf$Filelstrcatlstrcpylstrlen$CloseFirstNextSleep
String ID: %s\%s$%s\%s*$%s\*$.$.exe
API String ID: 726025564-1488415943
Opcode ID: a7d0326dc2477d88f4b0589bebf32cb8436afe741def76fa24b80a86e5e35189
Instruction ID: 8a5b5f6320cb998d4a51ea96e090637559c7b13efd41aa9022c31fab5c575317
Opcode Fuzzy Hash: a7d0326dc2477d88f4b0589bebf32cb8436afe741def76fa24b80a86e5e35189
Instruction Fuzzy Hash: 1F41837690421DABCF219FA0DD88EDA7B6CEF14314F4400A2FD08E2191D779DEA68F95

Function 00414883 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 99stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,76AE83C0,76AE8A60,00000000), ref: 00414891
wsprintfA.USER32 ref: 004148AF
FindFirstFileA.KERNEL32(?,?), ref: 004148C2
wsprintfA.USER32 ref: 00414905
lstrlenA.KERNEL32(?), ref: 00414946
lstrcmpiA.KERNEL32(?,00000000), ref: 0041495F
lstrcpyA.KERNEL32(?,00000000), ref: 00414973
lstrcatA.KERNEL32(?,0042A3B0), ref: 00414985
lstrcatA.KERNEL32(?,?), ref: 00414995
SetFileAttributesA.KERNEL32(?,00000080), ref: 004149A3
DeleteFileA.KERNEL32(?), ref: 004149B0
FindNextFileA.KERNEL32(00000000,00000010), ref: 004149BE
FindClose.KERNEL32(00000000), ref: 004149CF

Strings

%s\%s, xrefs: 004148FF
., xrefs: 004148E2
%s\*, xrefs: 004148A9

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$Find$lstrcatwsprintf$AttributesCloseDeleteFirstNextSleeplstrcmpilstrcpylstrlen
String ID: %s\%s$%s\*$.
API String ID: 2620824442-2663966076
Opcode ID: fd92c6bfed2bd7e8c494e1457349e005d97c8806da0db38c392aa86de6e5bc65
Instruction ID: 9e4a764dee98d0fe3cbafeb52e22fe68a34b156404d9c119ea68426d0a8c7798
Opcode Fuzzy Hash: fd92c6bfed2bd7e8c494e1457349e005d97c8806da0db38c392aa86de6e5bc65
Instruction Fuzzy Hash: 7A311FB1A0021EABCF21DFA0DD8CFDB777CAB54315F4005A2BA09D2150D6789AA5CF95

Function 0040683C Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 118sleepstringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B34: EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
Part of subcall function 00405B34: GetDesktopWindow.USER32 ref: 00405B68
Part of subcall function 00405B34: GetWindowRect.USER32(00000000), ref: 00405B6F
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
Part of subcall function 00405B34: RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 00405C17
Part of subcall function 00405B34: RegDeleteValueA.KERNEL32(?,00000000), ref: 00405C37
Part of subcall function 00405B34: RegCloseKey.ADVAPI32(?), ref: 00405C40
Part of subcall function 00405B34: lstrlenA.KERNEL32(?), ref: 00405C70

Part of subcall function 00413D4D: GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
Part of subcall function 00413D4D: OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
Part of subcall function 00413D4D: GetCurrentThread.KERNEL32 ref: 00413D74
Part of subcall function 00413D4D: OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B

CreateThread.KERNEL32(00000000,00000000,0040604A,00000000,00000000,00000000), ref: 0040686A
GetTickCount.KERNEL32 ref: 00406882
Sleep.KERNEL32(00000BB8), ref: 00406899
GetTickCount.KERNEL32 ref: 004068AB
Sleep.KERNEL32(000003E8), ref: 004068BE
K32EnumProcesses.KERNEL32(?,00001000,?), ref: 004068D4
lstrcpyA.KERNEL32(?,unknown), ref: 004068FF
OpenProcess.KERNEL32(00000411,00000000,?), ref: 0040690E
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00406925
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104), ref: 0040693F
TerminateProcess.KERNEL32(00000000,00000000), ref: 00406969
CloseHandle.KERNEL32(00000000), ref: 00406977
EnumWindows.USER32(00405FD0,?), ref: 0040698A

Strings

SeDebugPrivilege, xrefs: 00406850
unknown, xrefs: 004068F3

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Process$DeleteEnumOpenThread$CloseCountCreateCurrentSleepTickTokenWindow$BaseCriticalDesktopEnterHandleModuleModulesNameProcessesRectSectionTerminateValueWindowslstrcpylstrlen
String ID: SeDebugPrivilege$unknown
API String ID: 3286018168-986860467
Opcode ID: 80a5958d18f964215dc2cf66851f0e2fd2d1e50365b2883e728d62c644ab6e73
Instruction ID: 9c0e891f918fde1bb4dc23caddae53347e05642ca6a43f5c02609fdc1fd254ea
Opcode Fuzzy Hash: 80a5958d18f964215dc2cf66851f0e2fd2d1e50365b2883e728d62c644ab6e73
Instruction Fuzzy Hash: A84154B1A01304ABEB20ABA19D49FEF777CEB04715F514077FA02F11D1DB78A950CA6A

Function 00406718 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 85stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00404909,76AEE800,00000000), ref: 00406726
wsprintfA.USER32 ref: 00406741
FindFirstFileA.KERNEL32(?,?), ref: 00406754
wsprintfA.USER32 ref: 00406798
lstrcpyA.KERNEL32(?,00000000,0000000F), ref: 004067BB
lstrcatA.KERNEL32(?,0042A3B0), ref: 004067CD
lstrcatA.KERNEL32(?,?), ref: 004067DD
SetFileAttributesA.KERNEL32(?,00000080), ref: 004067F8
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00406820
FindClose.KERNEL32(00000000), ref: 00406830

Strings

%s\%s, xrefs: 00406792
%s\*, xrefs: 0040673B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: FileFind$lstrcatwsprintf$AttributesCloseFirstNextSleeplstrcpy
String ID: %s\%s$%s\*
API String ID: 2421785216-2848263008
Opcode ID: 4a7a8562fb6de0a137325da55f563f4c68a4949db7d4457257728d2b58b9eea9
Instruction ID: 0ecd25e5d59f9a0595605ca4691443b617c16b77e013c2d7aa34b0ccf6123ddf
Opcode Fuzzy Hash: 4a7a8562fb6de0a137325da55f563f4c68a4949db7d4457257728d2b58b9eea9
Instruction Fuzzy Hash: 923159B290021DABCF21ABA0DD89FDE777CEB14314F4044A3F905E6050DA749BA5CF55

Function 00407850 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,76AF0440,00000000), ref: 00407864
wsprintfA.USER32 ref: 00407883
FindFirstFileA.KERNEL32(?,?), ref: 00407896
wsprintfA.USER32 ref: 004078D4
FindNextFileA.KERNELBASE(00000000,00000010), ref: 0040798E
FindClose.KERNEL32(00000000), ref: 004079BA

Strings

%s\%s, xrefs: 004078CE
.exe, xrefs: 0040790E
%s\*, xrefs: 0040787D

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Find$Filewsprintf$CloseFirstNextSleep
String ID: %s\%s$%s\*$.exe
API String ID: 1758027058-2151574129
Opcode ID: 5f073de3dcff7f9fe1fd304a7e1876fc0275856f7beec281107b431e190248e2
Instruction ID: 163c00c7d8bbd4ad810b400cbd44254186020fd6e3715fb87303bc0dc3067a1c
Opcode Fuzzy Hash: 5f073de3dcff7f9fe1fd304a7e1876fc0275856f7beec281107b431e190248e2
Instruction Fuzzy Hash: 8141D772E082285BEF30A7A09D48BDE77AC9F45315F1400B7ED44F2191D77CAA84CB5A

Function 00413D4D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,0040D4C0,76AF0F00,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D5A
OpenProcessToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D61
GetCurrentThread.KERNEL32 ref: 00413D74
OpenThreadToken.ADVAPI32(00000000,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413D7B
LookupPrivilegeValueA.ADVAPI32(00000000,00000001,=A), ref: 00413D99
AdjustTokenPrivileges.KERNELBASE(0040D4C0,00000000,?,00000000,00000000,00000000), ref: 00413DC2
CloseHandle.KERNEL32(0040D4C0,?,00413DE4,SeShutdownPrivilege,00000001,0040D4C0), ref: 00413DCD

Strings

=A, xrefs: 00413D91, 00413D94

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Token$CurrentOpenProcessThread$AdjustCloseHandleLookupPrivilegePrivilegesValue
String ID: =A
API String ID: 2466252811-2399317284
Opcode ID: 4fe2538e3e2ea93d9b9fbef1b55b33063fb91e0da2af47dccb38c6a48e1a1dd9
Instruction ID: 475d8baa3e36ee8e1e9a3101c06148507bb2b604236046abb380cd1cc11b1ce2
Opcode Fuzzy Hash: 4fe2538e3e2ea93d9b9fbef1b55b33063fb91e0da2af47dccb38c6a48e1a1dd9
Instruction Fuzzy Hash: FF112A71A01218FFDB109FA09D09DEF7ABCEF04742F504066F901E2150DA349F459BA9

Function 0040F488 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 577networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040F4D5
Sleep.KERNEL32(000003E8), ref: 0040FA52

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

gethostname.WS2_32(?,00000080), ref: 0040FAA9
gethostbyname.WS2_32(?), ref: 0040FAB6

Strings

asdf, xrefs: 0040F830
IP: , xrefs: 0040F84E

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen$CountSleepTickgethostbynamegethostname
String ID: IP: $asdf
API String ID: 452584736-2391607419
Opcode ID: 675ad9c3315867715e073771c222b3fc62d84ebd2aaea0f34cbab47e72c131b5
Instruction ID: ab9c753e390d52234ecca9495911783dd6aac38805f13ab3233c2d1990d96d36
Opcode Fuzzy Hash: 675ad9c3315867715e073771c222b3fc62d84ebd2aaea0f34cbab47e72c131b5
Instruction Fuzzy Hash: EF0228B2A00248ABDB31EBA4CC51BEB739DAB09304F440477F544B65C3D67C9E4D8B6A

Function 00405F6F Relevance: 7.5, APIs: 5, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B34: EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
Part of subcall function 00405B34: GetDesktopWindow.USER32 ref: 00405B68
Part of subcall function 00405B34: GetWindowRect.USER32(00000000), ref: 00405B6F
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
Part of subcall function 00405B34: RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 00405C17
Part of subcall function 00405B34: RegDeleteValueA.KERNEL32(?,00000000), ref: 00405C37
Part of subcall function 00405B34: RegCloseKey.ADVAPI32(?), ref: 00405C40
Part of subcall function 00405B34: lstrlenA.KERNEL32(?), ref: 00405C70

GetTickCount.KERNEL32 ref: 00405F9D
Sleep.KERNEL32(00000BB8,00000001), ref: 00405FA8
GetTickCount.KERNEL32 ref: 00405FB6
EnumWindows.USER32(00405D79,00000000), ref: 00405FC1
Sleep.KERNEL32(000000C8), ref: 00405FCC

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Delete$CountSleepTickWindow$CloseCreateCriticalDesktopEnterEnumRectSectionValueWindowslstrlen
String ID:
API String ID: 281037392-0
Opcode ID: 6e28c6a7874f98d17b639abd47b63a2de883149d4e808e2792f3a1761e57c11a
Instruction ID: c11db00c360bf4b784d5b7d7eeec3b580e66b8c7e3f3393114e085b604093c77
Opcode Fuzzy Hash: 6e28c6a7874f98d17b639abd47b63a2de883149d4e808e2792f3a1761e57c11a
Instruction Fuzzy Hash: AFF02720285A0A9BD52077A18D86F7F3614DB14B04F60003BB944B72C1AEBC5815C9BF

Function 0040C431 Relevance: 3.0, APIs: 2, Instructions: 23sleepCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0040C440
Sleep.KERNEL32(000003E8), ref: 0040C46A

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: a18abad0d9134f67dbb407c31c5c62fbab7a71adb5fb281b7f8a0cd74ff0b0b2
Instruction ID: ec4e0dc912df284146a4d6c4ec45948b48cf9508f1cb833489b9ad9e6170350e
Opcode Fuzzy Hash: a18abad0d9134f67dbb407c31c5c62fbab7a71adb5fb281b7f8a0cd74ff0b0b2
Instruction Fuzzy Hash: C8E0ED32804218EBDB219B95D8896AE7739F741721F610265D801732818A787E429AF9

Function 004095B5 Relevance: 389.7, APIs: 23, Strings: 199, Instructions: 1235
keyboardstringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00007530), ref: 004095CF
Sleep.KERNEL32(0000EA60), ref: 004095EB
Sleep.KERNEL32(00000001), ref: 0040A682
GetKeyState.USER32(00000010), ref: 0040A696
GetAsyncKeyState.USER32(?), ref: 0040A6A8
GetKeyState.USER32(00000014), ref: 0040A6B6
GetKeyState.USER32(00000014), ref: 0040A6E0
GetForegroundWindow.USER32 ref: 0040A73A
GetWindowTextA.USER32(00000000,?,000000C7), ref: 0040A750
lstrlenA.KERNEL32(?), ref: 0040A75D
lstrlenA.KERNEL32(00457AB8), ref: 0040A816
lstrlenA.KERNEL32(00457AB8), ref: 0040A832
lstrcatA.KERNEL32(00457AB8,0042A4DC), ref: 0040A846

Strings

, xrefs: 00409ABC
b, xrefs: 00409A0D
I, xrefs: 0040A436
S, xrefs: 0040A472
5, xrefs: 0040A282
,, xrefs: 0040A582
8, xrefs: 0040A3B4
o, xrefs: 004098A6
8, xrefs: 0040979A
:, xrefs: 0040A030
2, xrefs: 00409BEB
a, xrefs: 0040A60A
[T], xrefs: 004097F9
k, xrefs: 0040A5F6
1, xrefs: 00409BD8
, xrefs: 0040A865
x, xrefs: 004099D4
G, xrefs: 0040A490
3, xrefs: 0040973B
6, xrefs: 0040A28F
k, xrefs: 00409975
&, xrefs: 00409E1A
a, xrefs: 004098F2
T, xrefs: 00409EED
A, xrefs: 00409F85
>, xrefs: 0040A0EE
", xrefs: 0040A043
7, xrefs: 00409C4A
/, xrefs: 0040A207
J, xrefs: 00409FF7
q, xrefs: 0040980E
z, xrefs: 004099C1
w, xrefs: 0040A332
6, xrefs: 0040A3A0
4, xrefs: 00409C11
n, xrefs: 0040A664
?, xrefs: 0040A101
C, xrefs: 0040A07C
2, xrefs: 0040A25B
5, xrefs: 00409C24
', xrefs: 004099AE
+, xrefs: 00409BB2
8, xrefs: 00409C5D
0, xrefs: 0040A241
;, xrefs: 0040999B
w, xrefs: 00409821
9, xrefs: 0040A2B6
x, xrefs: 0040A33C
f, xrefs: 0040A63C
H, xrefs: 0040A49A
B, xrefs: 0040A0A2
A, xrefs: 0040A468
y, xrefs: 0040986D
!, xrefs: 00409DAA
r, xrefs: 00409845
0, xrefs: 0040A3C8
s, xrefs: 00409905
y, xrefs: 0040A346
V, xrefs: 0040A08F
-, xrefs: 0040A596
e, xrefs: 00409834
9, xrefs: 0040A3BE
*, xrefs: 00409B8C
$, xrefs: 00409DE3
Y, xrefs: 0040A422
~, xrefs: 00409D97
6, xrefs: 00409C37
s, xrefs: 0040A30A
i, xrefs: 00409893
R, xrefs: 0040A40E
#, xrefs: 0040A5BA
o, xrefs: 0040A5D8
-, xrefs: 004097D3
$, xrefs: 0040A5A0
4, xrefs: 0040A275
F, xrefs: 00409FBE
g, xrefs: 0040A646
7, xrefs: 0040A3AA
[, xrefs: 0040A56E
{, xrefs: 0040A35A
1, xrefs: 0040A36E
m, xrefs: 00409A33
!, xrefs: 0040A5AA
(, xrefs: 00409E40
P, xrefs: 0040A44A
h, xrefs: 0040A650
0, xrefs: 004097C0
z, xrefs: 0040A350
c, xrefs: 0040A61E
r, xrefs: 0040A300
N, xrefs: 0040A0B5
Z, xrefs: 0040A4D6
[T], xrefs: 00409E8C
B, xrefs: 0040A4FE
\, xrefs: 0040A578
E, xrefs: 00409EC7
^, xrefs: 00409E0F
7, xrefs: 0040A29C
j, xrefs: 00409964
<, xrefs: 0040A0DB
5, xrefs: 0040A396
R, xrefs: 00409EDA
p, xrefs: 0040A2EC
5, xrefs: 00409761
8, xrefs: 0040A2A9
h, xrefs: 00409951
n, xrefs: 00409A20
}, xrefs: 00409F72
9, xrefs: 004097AD
@, xrefs: 00409DBD
J, xrefs: 0040A4A4
[<], xrefs: 0040A914, 0040A91B
_, xrefs: 00409E66
O, xrefs: 0040A440
K, xrefs: 0040A4AE
%, xrefs: 00409DF6
v, xrefs: 004099FA
#, xrefs: 00409DD0
X, xrefs: 0040A069
I, xrefs: 00409F26
2, xrefs: 0040A378
L, xrefs: 0040A4B8
u, xrefs: 0040A31E
U, xrefs: 0040A42C
U, xrefs: 00409F13
V, xrefs: 0040A4F4
3, xrefs: 0040A382
Q, xrefs: 00409EA1
N, xrefs: 0040A528
*, xrefs: 0040A21A
M, xrefs: 0040A0C8
X, xrefs: 0040A4E0
Y, xrefs: 00409F00
`, xrefs: 00409700
c, xrefs: 004099E7
H, xrefs: 00409FE4
,, xrefs: 00409A46
m, xrefs: 0040A5EC
d, xrefs: 0040A628
Z, xrefs: 0040A056
t, xrefs: 0040A314
v, xrefs: 0040A328
6, xrefs: 00409774
K, xrefs: 0040A00A
], xrefs: 004098DF
+, xrefs: 00409E79
/, xrefs: 00409B79
g, xrefs: 0040993E
1, xrefs: 0040A24E
e, xrefs: 0040A632
-, xrefs: 0040A227
-, xrefs: 00409B9F
t, xrefs: 0040985A
", xrefs: 0040A5C4
p, xrefs: 004098B9
q, xrefs: 0040A2F6
\, xrefs: 00409A80
S, xrefs: 00409F98
4, xrefs: 0040974E
u, xrefs: 00409880
1, xrefs: 00409713
l, xrefs: 00409988
W, xrefs: 0040A3FA
*, xrefs: 00409E2D
|, xrefs: 0040A114
+, xrefs: 0040A234
d, xrefs: 00409918
L, xrefs: 0040A01D
0, xrefs: 00409BC3
D, xrefs: 0040A47C
7, xrefs: 00409787
=, xrefs: 004097E6
b, xrefs: 0040A614
W, xrefs: 00409EB4
`, xrefs: 0040A600
E, xrefs: 0040A404
f, xrefs: 0040992B
D, xrefs: 00409FAB
{, xrefs: 00409F5F
G, xrefs: 00409FD1
M, xrefs: 0040A532
[, xrefs: 004098CC
[C], xrefs: 00409A93
[<], xrefs: 0040A900, 0040A907
9, xrefs: 00409C70
i, xrefs: 0040A65A
O, xrefs: 00409F39
3, xrefs: 00409BFE
2, xrefs: 00409728
Q, xrefs: 0040A3F0
P, xrefs: 00409F4C
T, xrefs: 0040A418
3, xrefs: 0040A268
4, xrefs: 0040A38C
F, xrefs: 0040A486
C, xrefs: 0040A4EA
/, xrefs: 00409A6D
j, xrefs: 0040A5E2
), xrefs: 00409E53

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: State$Sleeplstrlen$Window$AsyncForegroundTextlstrcat
String ID: $ $!$!$"$"$#$#$$$$$%$&$'$($)$*$*$*$+$+$+$,$,$-$-$-$-$/$/$/$0$0$0$0$1$1$1$1$2$2$2$2$3$3$3$3$4$4$4$4$5$5$5$5$6$6$6$6$7$7$7$7$8$8$8$8$9$9$9$9$:$;$<$=$>$?$@$A$A$B$B$C$C$D$D$E$E$F$F$G$G$H$H$I$I$J$J$K$K$L$L$M$M$N$N$O$O$P$P$Q$Q$R$R$S$S$T$T$U$U$V$V$W$W$X$X$Y$Y$Z$Z$[$[$[<]$[<]$[C]$[T]$[T]$\$\$]$^$_$`$`$a$a$b$b$c$c$d$d$e$e$f$f$g$g$h$h$i$i$j$j$k$k$l$m$m$n$n$o$o$p$p$q$q$r$r$s$s$t$t$u$u$v$v$w$w$x$x$y$y$z$z${${$|$}$~
API String ID: 3575194195-2271419567
Opcode ID: 6cda244e52db42d6c007d4501fa802595a9ecb9f91306f0074cf77608459415e
Instruction ID: df153dc5a53d45ebde2be742832d1a1b3fb3dbbf52d9bd87248e0ab54d23e74c
Opcode Fuzzy Hash: 6cda244e52db42d6c007d4501fa802595a9ecb9f91306f0074cf77608459415e
Instruction Fuzzy Hash: 5AB2FB75924628AEDB62CB68CC053DBBBB1AF48345F4148E5C20CF7150DBB56F898F4A

Function 0040A949 Relevance: 276.5, APIs: 156, Strings: 1, Instructions: 1764libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,776AC310,00000000,00000000), ref: 0040A96C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A99C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A9BB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A9DA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040A9F9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA18
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA37
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA56
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA75
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AA94
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AAB3
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AAD2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AAF1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AB10
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AB2F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AB4E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ABCF
GetLastError.KERNEL32 ref: 0040ABE1
LoadLibraryA.KERNEL32(00000000), ref: 0040AC0D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC35
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC54
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC73
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AC92
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ACB1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ACD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ACEF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AD0E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AD2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AD4C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ADB9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ADD8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040ADF7
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE16
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE5B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE7A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AE99
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AEB8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AED7
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AEF6
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF15
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF34
GetLastError.KERNEL32 ref: 0040AF6D
LoadLibraryA.KERNEL32(00000000), ref: 0040AF99
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AFC1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AFE0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AFFF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B01E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B03D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B05C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B07B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B09A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B0B9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B0D8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B145
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B164
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B183
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1A2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1C1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1E0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1FF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B21E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B267
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B286
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B2A5
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B2C4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B2E3
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B302
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B321
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B340
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B35F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B37E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B39D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B3BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B3DB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B3FA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B419
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B438
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B457
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B4F4
GetLastError.KERNEL32 ref: 0040B501
LoadLibraryA.KERNEL32(00000000), ref: 0040B52D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B555
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B574
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B593
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B5B2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B5D1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B5F0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B60F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B62E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B64D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B66C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B68B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B6AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B6C9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B6E8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B707
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B726
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B745
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B764
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B783
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7A2
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7C1
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7E0
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B7FF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B81E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B83D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B85C
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B87B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B89A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B8B9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B8D8
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B8F7
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B916
GetLastError.KERNEL32 ref: 0040BA33
LoadLibraryA.KERNEL32(00000000), ref: 0040BA5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BA87
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BAA6
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BAC5
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BAE4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB03
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB22
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB60
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB7F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BB9E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BBBD
LoadLibraryA.KERNEL32(00000000), ref: 0040BC46
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BC6E
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BC8D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BCAC
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BCCB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BCEA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BD09
GetLastError.KERNEL32 ref: 0040BD3A
LoadLibraryA.KERNEL32(00000000), ref: 0040BD66
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BD8A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BDA9
GetLastError.KERNEL32 ref: 0040BDBE
LoadLibraryA.KERNEL32(00000000), ref: 0040BDEA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE12
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE31
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE50
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BE8E
GetLastError.KERNEL32 ref: 0040BEB3
LoadLibraryA.KERNEL32(00000000), ref: 0040BEE5
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BF08
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BF29
GetLastError.KERNEL32 ref: 0040BF3A
LoadLibraryA.KERNEL32(00000000), ref: 0040BF66
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BF89
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BFAA
GetProcAddress.KERNEL32(0040DBD8,00000000), ref: 0040BFCB
LoadLibraryA.KERNEL32(00000000), ref: 0040BFE9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040C009

Strings

%\W, xrefs: 0040ABFF

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast$HandleModule
String ID: %\W
API String ID: 1445086619-583437078
Opcode ID: 559059990ff643097508b6262fd03eeb35fb8387410a21d0e2ae341eea3bf3a4
Instruction ID: fe00ecd7844f749915d9149580f3465eef428d98f78ac84402cf4c52ab4222cc
Opcode Fuzzy Hash: 559059990ff643097508b6262fd03eeb35fb8387410a21d0e2ae341eea3bf3a4
Instruction Fuzzy Hash: A4C2E1F5D40314AFE751AF50AC82EBA36ACD714705F14057FFA04E1192EFB85A848FAA

Function 00406151 Relevance: 84.5, APIs: 56, Instructions: 463
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNEL32(80000001,00000000,76AF23A0,-000927C0,00000011), ref: 00406190
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 004061BA
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004), ref: 004061C8
RegCloseKey.KERNEL32(?,?,?,00000000,00000004,00000001,00000004), ref: 004061CD
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004), ref: 004061D5
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 00406201
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040622F
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406237
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040623E
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 00406261
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406269
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040628C
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406294
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 004062B7
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004062BF
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 004062E2
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004062EA
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 0040630D
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406315
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406338
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406340
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 00406363
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 0040636B
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040638E
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406396
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 004063B9
RegCloseKey.KERNEL32(?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004063C2
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004063CA
RegCreateKeyExA.KERNEL32(80000001,00000000,00000000,00000000,00020006,00000000,?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 004063FD
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406405
RegSetValueExA.KERNELBASE(?,00000000,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 00406428
RegCloseKey.KERNEL32(?,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406431
Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406439
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,?,?,?,00000000,00000004,00000001,00000004), ref: 00406465
Sleep.KERNEL32(00000064,?,?,?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040646D
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,?,?,?,00000000,00000004,00000001), ref: 00406490
RegCloseKey.KERNEL32(?,?,?,00000000,00000004,00000001,00000004,?,?,?,?,?,00000000,00000004,00000001,00000004), ref: 00406499
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,?,?,?,00000000,00000004,00000001,00000004), ref: 004064A1
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,00000000,00000004,00000001,00000004), ref: 004064D4
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001,00000004), ref: 004064FB
RegCloseKey.KERNEL32(?,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406504
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001,00000004), ref: 0040650C
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000,?,?,00000000,00000004,00000091,00000004,?,?,00000000,00000004,00000001), ref: 0040653F
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091,00000004), ref: 00406566
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091,00000004,?,?,00000000), ref: 0040656E
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091), ref: 00406591
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000091,00000004,?,?,00000000), ref: 00406599
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 004065BC
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004065C4
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 004065E7
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 004065EF
RegSetValueExA.KERNELBASE(?,00000000,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004), ref: 00406612
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 0040661A
RegSetValueExA.KERNELBASE(?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001), ref: 0040663D
RegCloseKey.KERNEL32(?,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 00406646
Sleep.KERNEL32(00000064,?,?,00000000,00000004,00000001,00000004,?,?,00000000,00000004,00000001,00000004,?,?,00000000), ref: 0040664E

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$Value$CloseCreate
String ID:
API String ID: 3184397383-0
Opcode ID: 93dc55894faf6f814b2ddcf65b5400ae89b31cf79d55cf43324b23fa800c9202
Instruction ID: 2bdb2e7eba901f38f779a2f5ef2eb5fdc224b4dd96516dc32fec66fda6d992c8
Opcode Fuzzy Hash: 93dc55894faf6f814b2ddcf65b5400ae89b31cf79d55cf43324b23fa800c9202
Instruction Fuzzy Hash: B6E11FB6A40218BEE711ABD1DC4AEFF7F7CDB44B05F50007ABA04A1092EA715F949B35

Function 00401F9D Relevance: 72.1, APIs: 33, Strings: 8, Instructions: 328
stringsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00401FEE
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 004020C4
lstrcatA.KERNEL32(?,0042A3B0), ref: 004020D2
lstrlenA.KERNEL32(?,00000007), ref: 004020DD
lstrcatA.KERNEL32(?,0042A3B0), ref: 004020FE
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 00402129
lstrcatA.KERNEL32(?,?), ref: 00402136
lstrcatA.KERNEL32(?,.exe), ref: 00402144
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402152
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,?,00000000), ref: 00402176
wsprintfA.USER32 ref: 004021C6
lstrcpyA.KERNEL32(?,?), ref: 004021DD
lstrlenA.KERNEL32(?), ref: 004021E6
lstrcatA.KERNEL32(?,?), ref: 00402207
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 00402215
lstrcatA.KERNEL32(?,0042A3B0), ref: 00402223
lstrcatA.KERNEL32(?,?), ref: 00402230
lstrcatA.KERNEL32(?,.rar), ref: 0040223E
DeleteFileA.KERNEL32(?), ref: 00402247
Sleep.KERNEL32(00001388), ref: 0040225C
Sleep.KERNEL32(00001388), ref: 00402278
Sleep.KERNEL32(00001388), ref: 004022B0
Sleep.KERNEL32(000003E8), ref: 004022D3
Sleep.KERNEL32(000003E8), ref: 0040230D
SetFileAttributesA.KERNEL32(?,00000080), ref: 00402333
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00402350
WriteFile.KERNEL32(00000000,047E50D0,?,00000000), ref: 0040238D
CloseHandle.KERNEL32(?), ref: 00402396
SetFileAttributesA.KERNEL32(?,00000080), ref: 004023CC
CopyFileA.KERNEL32(?,?,00000001), ref: 004023E2
DeleteFileA.KERNEL32(?), ref: 004023EF
ShellExecuteA.SHELL32(00000000,00000000,C:\Program Files (x86)\\WinRAR\rar.exe,?,?,00000000), ref: 00402420
CloseHandle.KERNEL32(00000000), ref: 00402451

Strings

a "..\%s.rar" * , xrefs: 004021C0
.rar, xrefs: 00402232
tmp, xrefs: 004023F7
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\, xrefs: 004020A0
.exe, xrefs: 00402138, 004021FF
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 00402171
C:\Program Files (x86)\\WinRAR\rar.exe, xrefs: 00402419
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 004020B8, 0040211D, 00402209, 004023FD

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$lstrcat$Sleep$lstrcpy$Attributes$CloseCopyDeleteHandlelstrlen$CreateExecuteShellWritewsprintf
String ID: .exe$.rar$C:\Program Files (x86)\\WinRAR\rar.exe$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$a "..\%s.rar" * $tmp
API String ID: 1896541782-3258481087
Opcode ID: 24f4ff6158e3481e03426d39612af95b35a73f31ff751169f6e5986fea90d1b9
Instruction ID: 3022652ca617998f224523417b6a8ac86932b041dbb7c5d2648501ab9886e0b1
Opcode Fuzzy Hash: 24f4ff6158e3481e03426d39612af95b35a73f31ff751169f6e5986fea90d1b9
Instruction Fuzzy Hash: 07C1E071940348EBDF21EBE0DD89ADA7B6CAB05304F4044BBE504A7191E6BD5A8DCF29

Function 0040FB2F Relevance: 63.4, APIs: 23, Strings: 13, Instructions: 415
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040EA9F: lstrlenA.KERNEL32(?,?), ref: 0040EB2B

socket.WS2_32(00000002,00000001,00000006), ref: 0040FB65

Part of subcall function 004138BC: inet_addr.WS2_32(00000000), ref: 004138C0
Part of subcall function 004138BC: gethostbyname.WS2_32(?), ref: 004138CF

htons.WS2_32(00000050), ref: 0040FB83
connect.WS2_32(?,?,00000010), ref: 0040FB96
wsprintfA.USER32 ref: 0040FBD0
lstrlenA.KERNEL32(?,00000000), ref: 0040FBE3
send.WS2_32(?,?,00000000), ref: 0040FBF4
select.WS2_32(?,?,00000000,00000000,?), ref: 0040FC3E
__WSAFDIsSet.WS2_32(?,00000001), ref: 0040FC4E
recv.WS2_32(?,?,00000001,00000000), ref: 0040FC6C
lstrcmpiA.KERNEL32(00000001,jan), ref: 0040FD59
lstrcmpiA.KERNEL32(00000001,feb), ref: 0040FD6E
lstrcmpiA.KERNEL32(00000001,mar), ref: 0040FD83
lstrcmpiA.KERNEL32(00000001,apr), ref: 0040FD98
closesocket.WS2_32(?), ref: 0040FEB9
closesocket.WS2_32(?), ref: 0040FF99

Strings

jun, xrefs: 0040FDB9
oct, xrefs: 0040FE01
sep, xrefs: 0040FDEF
feb, xrefs: 0040FD68
may, xrefs: 0040FDA7
jan, xrefs: 0040FD50
aug, xrefs: 0040FDDD
jul, xrefs: 0040FDCB
nov, xrefs: 0040FE13
apr, xrefs: 0040FD92
dec, xrefs: 0040FE25
mar, xrefs: 0040FD7D
date, xrefs: 0040FCBC

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcmpi$closesocketlstrlen$connectgethostbynamehtonsinet_addrrecvselectsendsocketwsprintf
String ID: apr$aug$date$dec$feb$jan$jul$jun$mar$may$nov$oct$sep
API String ID: 4061257364-2825898416
Opcode ID: 1b869073f7bf14742d9279ac740fefc2c549dc5633a0fcad0a972a6c5c4af714
Instruction ID: b440cbbe22d014a8756bf6f11b7a8553ac34d49057fa62a6aabe9826c51b07e3
Opcode Fuzzy Hash: 1b869073f7bf14742d9279ac740fefc2c549dc5633a0fcad0a972a6c5c4af714
Instruction Fuzzy Hash: 95D14B3160435A9ADB315A259C44BBF37A89F16344F68007BFD05F26D3EA7CC84A876E

Function 00407DF4 Relevance: 58.2, APIs: 30, Strings: 3, Instructions: 410
stringsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00007530), ref: 00407E11
Sleep.KERNEL32(000003E8), ref: 00407E3E
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\), ref: 00407E59
lstrlenA.KERNEL32(?,0000000A), ref: 00407E68
lstrcatA.KERNEL32(?,.exe), ref: 00407E8A
lstrcatA.KERNEL32(?,.exe), ref: 00407EA1
GetTickCount.KERNEL32 ref: 00407EBF
GetLogicalDriveStringsA.KERNEL32(000003FF,?), ref: 00407ED8
GetDriveTypeA.KERNEL32(00000000), ref: 00407EF2
lstrcatA.KERNEL32(?,?), ref: 00407F58
lstrlenA.KERNEL32(?), ref: 00407FB2
lstrcatA.KERNEL32(?,.bat), ref: 00407FED
lstrcatA.KERNEL32(?,.bat), ref: 00408015
lstrcatA.KERNEL32(?,.bat), ref: 0040803D
lstrcpyA.KERNEL32(?,?), ref: 0040804F
lstrcpyA.KERNEL32(?,?), ref: 004080A9
lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,0000001F), ref: 00408121
SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,0000001F), ref: 00408130
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,0000001F), ref: 0040814E
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,0000001F), ref: 0040816C
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,0000001F), ref: 00408187
wsprintfA.USER32 ref: 00408254
lstrlenA.KERNEL32(?,?,00000000), ref: 0040826A
WriteFile.KERNEL32(?,?,00000000), ref: 0040827B
CloseHandle.KERNEL32(?), ref: 00408284

Part of subcall function 00413AAC: GetTickCount.KERNEL32 ref: 00413AB3
Part of subcall function 00413AAC: GetSystemTime.KERNEL32(?,?,00407BCE,047E50D0,00408C5D,00408C5D,76AE8A60,00408C5D,?,00000000), ref: 00413AC4
Part of subcall function 00413AAC: SystemTimeToFileTime.KERNEL32(000007D9,00408C5D), ref: 00413AFD
Part of subcall function 00413AAC: SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413B40
Part of subcall function 00413AAC: SystemTimeToFileTime.KERNEL32(000007D9,76AE8A60), ref: 00413B8E
Part of subcall function 00413AAC: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00413BA5

lstrcpyA.KERNEL32(?,?), ref: 0040807C

Part of subcall function 00414D8E: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0040D2A9,00000000), ref: 00414DA4

SetFileAttributesA.KERNEL32(?,00000007), ref: 004082AD
lstrlenA.KERNEL32(00000000), ref: 004082B4
lstrlenA.KERNEL32 ref: 004082F7
Sleep.KERNEL32(000003E8), ref: 0040830C

Strings

.exe, xrefs: 00407E7D, 00407E82, 00407E99
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 00407E4D
.bat, xrefs: 00407FE0, 00407FE5, 0040800D, 00408035

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$Timelstrcat$lstrlen$CreateSleepSystemlstrcpy$AttributesCountDriveTick$CloseHandleLogicalStringsTypeWritewsprintf
String ID: .bat$.exe$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\
API String ID: 530435527-4043645035
Opcode ID: cebe2707939c58bdb77b2f4b12f498b91be35d01fc9f4acf54c70fc7af8dec7d
Instruction ID: c6ce981036597e7e3b7541c0c98113c6be5eba37bc76b6932f84717924a43464
Opcode Fuzzy Hash: cebe2707939c58bdb77b2f4b12f498b91be35d01fc9f4acf54c70fc7af8dec7d
Instruction Fuzzy Hash: 11D1B8B2D0011CAADB25DBA0DC4AFEA77BDAB44314F5404ABF504E2181DA789F858F69

Function 004157A7 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 313
sleepstringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004157B9
Sleep.KERNEL32(00007530), ref: 004157D3
Sleep.KERNEL32(000003E8), ref: 00415816
Sleep.KERNEL32(000003E8), ref: 0041582D
GetCurrentProcess.KERNEL32(00000080), ref: 0041584A
SetPriorityClass.KERNEL32(00000000), ref: 00415851
lstrcpyA.KERNEL32(?,http://), ref: 00415886
lstrlenA.KERNEL32(?,:%d,?), ref: 004158B2
wsprintfA.USER32 ref: 004158BD
lstrcatA.KERNEL32(?,0042A7D8), ref: 004158CF
lstrlenA.KERNEL32(?,00000002), ref: 004158E8
GetWindowRect.USER32(?,?), ref: 0041592F

Part of subcall function 00402F35: lstrcpynA.KERNEL32(?,00000001,0000001E,?,?,76AF0F00), ref: 00402FB3
Part of subcall function 00402F35: lstrcpynA.KERNEL32(00000000,0042A44C,0000001E,?,?,76AF0F00), ref: 00402FC3
Part of subcall function 00402F35: lstrcpynA.KERNEL32(?,00000000,0000001E,?,?,76AF0F00), ref: 00402FD3
Part of subcall function 00402F35: lstrcpynA.KERNEL32(?,00000000,0000003E,?,?,76AF0F00), ref: 00402FE3

Sleep.KERNEL32(0000012C), ref: 00415984
Sleep.KERNEL32(00004E20), ref: 004159B7

Part of subcall function 004152AB: GetDesktopWindow.USER32 ref: 004152B8
Part of subcall function 004152AB: GetWindowRect.USER32(00000000), ref: 004152C5
Part of subcall function 004152AB: GetWindowRect.USER32(00415941,?), ref: 004152CF
Part of subcall function 004152AB: ShowWindow.USER32(00415941,00000001), ref: 0041532A
Part of subcall function 004152AB: SetWindowPos.USER32(00415941,000000FF,?,00000000,00000258,000001F4,00000040), ref: 00415342
Part of subcall function 004152AB: ShowWindow.USER32(00415941,00000001), ref: 0041534B
Part of subcall function 004152AB: SetForegroundWindow.USER32(00415941), ref: 00415358
Part of subcall function 004152AB: SetFocus.USER32(00415941), ref: 00415361
Part of subcall function 004152AB: SetForegroundWindow.USER32(00415941), ref: 00415364
Part of subcall function 004152AB: SetFocus.USER32(00415941), ref: 00415367
Part of subcall function 004152AB: SetForegroundWindow.USER32(00415941), ref: 0041536A
Part of subcall function 004152AB: SetFocus.USER32(00415941), ref: 0041536D
Part of subcall function 004152AB: Sleep.KERNEL32(00000064), ref: 00415371
Part of subcall function 004152AB: ShowWindow.USER32(00415941,00000001), ref: 0041537A

Part of subcall function 00415497: Sleep.KERNEL32(00000064,?,00415A60,?,00000000), ref: 004154A0
Part of subcall function 00415497: SetFocus.USER32(?), ref: 004154B0
Part of subcall function 00415497: Sleep.KERNEL32(00000064), ref: 004154B8
Part of subcall function 00415497: Sleep.KERNEL32(00000064), ref: 004154C1

Part of subcall function 00415104: lstrlenA.KERNEL32(?,?,?,76AF0F00), ref: 00415114
Part of subcall function 00415104: lstrlenA.KERNEL32(-00000005), ref: 00415209
Part of subcall function 00415104: lstrlenA.KERNEL32(-00000005), ref: 00415211

Part of subcall function 00415623: lstrlenA.KERNEL32(?,?,76AF0F00), ref: 00415665
Part of subcall function 00415623: lstrlenA.KERNEL32(?), ref: 0041566D
Part of subcall function 00415623: lstrlenA.KERNEL32(?), ref: 004156C9
Part of subcall function 00415623: lstrcatA.KERNEL32(?,0042A440), ref: 004156E0
Part of subcall function 00415623: lstrcatA.KERNEL32(?,00000000), ref: 004156E7

ShowWindow.USER32(?,00000000), ref: 004159F9
Sleep.KERNEL32(00002710), ref: 00415A04
ShowWindow.USER32(?,00000005), ref: 00415A09
ShowWindow.USER32(?,00000000), ref: 00415A89
Sleep.KERNEL32(00000190), ref: 00415A95

Part of subcall function 004154D8: SetFocus.USER32(?,?,?,00000190,?,76AF0F00,?,?,?,?,?,?,?,?,00415AAB,?), ref: 00415516
Part of subcall function 004154D8: Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,00000190,?), ref: 00415539

ShowWindow.USER32(?,00000000), ref: 00415AB1
Sleep.KERNEL32(00000190), ref: 00415AB8

Part of subcall function 00415547: Sleep.KERNEL32(000001F4), ref: 0041556E
Part of subcall function 00415547: lstrcmpA.KERNEL32(00000000,00000000), ref: 0041559A

ShowWindow.USER32(?,00000000), ref: 00415AD5
Sleep.KERNEL32(00000190), ref: 00415ADC

Part of subcall function 004155B7: SetFocus.USER32(?,?,?,00000190,?,76AF0F00,?,?,?,?,?,?,?,?,00415AF2,?), ref: 004155FA

ShowWindow.USER32(?,00000000), ref: 00415AF8
ShowWindow.USER32(00000000,00000000), ref: 00415B08
GetWindowThreadProcessId.USER32(00000000,0045985C), ref: 00415B14
GetCurrentProcess.KERNEL32(00000020), ref: 00415B23
SetPriorityClass.KERNEL32(00000000), ref: 00415B2A
Sleep.KERNEL32(00004E20), ref: 00415B35

Strings

http://, xrefs: 0041587D
:%d, xrefs: 004158A9

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Window$Sleep$Show$lstrlen$Focus$lstrcpyn$ForegroundProcessRectlstrcat$ClassCurrentPriority$CountDesktopThreadTicklstrcmplstrcpywsprintf
String ID: :%d$http://
API String ID: 1001066556-2872252496
Opcode ID: 5433a4a54e52b947ac002cc7042449f1cca0677e9c2ee8cddeb72ecb393f4da8
Instruction ID: 1a0f13dbbb03e331f307676340b79c983e3ef856dc49174a57c53eedfa74bf4b
Opcode Fuzzy Hash: 5433a4a54e52b947ac002cc7042449f1cca0677e9c2ee8cddeb72ecb393f4da8
Instruction Fuzzy Hash: CEA1F972901704FBEB11BB60DD4AFEE376CAF55305F10006AFA04A1192DB7C9A86876E

Function 0040D83E Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 223
threadsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040D849
CreateThread.KERNEL32(00000000,00000000,00415D7A,00000000,00000000,00000000), ref: 0040D871
Sleep.KERNEL32(0001D4C0), ref: 0040D878
CreateThread.KERNEL32(00000000,00000000,Function_00005F6F,00000000,00000000,00000000), ref: 0040D888
CreateThread.KERNEL32(00000000,00000000,Function_0000604A,00000000,00000000,00000000), ref: 0040D8AE
GetTickCount.KERNEL32 ref: 0040D8B0
GetTickCount.KERNEL32 ref: 0040D8BD
Sleep.KERNEL32(000003E8), ref: 0040D8CC
CreateThread.KERNEL32(00000000,00000000,Function_0000D016,00000000,00000000,00000000), ref: 0040D8E9
Sleep.KERNEL32(00007530), ref: 0040D8F7
lstrcatA.KERNEL32(C:\Program Files (x86)\\WinRAR\rar.exe,\WinRAR\rar.exe), ref: 0040D957
CreateThread.KERNEL32(00000000,00000000,Function_00001F9D,00000000,00000000,00000000), ref: 0040D978
CreateThread.KERNEL32(00000000,00000000,Function_0001272F,00000000,00000000,00000000), ref: 0040D98C
CreateThread.KERNEL32(00000000,00000000,Function_00012FDD,00000000,00000000,00000000), ref: 0040D998
CreateThread.KERNEL32(00000000,00000000,Function_000095B5,00000000,00000000,00000000), ref: 0040D9A4
CreateThread.KERNEL32(00000000,00000000,Function_000116A8,00000000,00000000,00000000), ref: 0040D9B0
CreateThread.KERNEL32(00000000,00000000,Function_00006B75,00000000,00000000,00000000), ref: 0040D9BC
CreateThread.KERNEL32(00000000,00000000,Function_000056A7,00000000,00000000,00000000), ref: 0040D9C8
CreateThread.KERNEL32(00000000,00000000,Function_00008CB0,00000000,00000000,00000000), ref: 0040D9E4
CreateThread.KERNEL32(00000000,00000000,Function_000076C6,00000000,00000000,00000000), ref: 0040D9F0
CreateThread.KERNEL32(00000000,00000000,Function_000073CE,00000000,00000000,00000000), ref: 0040D9FC
CreateThread.KERNEL32(00000000,00000000,Function_000085CA,00000000,00000000,00000000), ref: 0040DA08
CreateThread.KERNEL32(00000000,00000000,Function_00007DF4,00000000,00000000,00000000), ref: 0040DA14
CreateThread.KERNEL32(00000000,00000000,Function_00011206,00000000,00000000,00000000), ref: 0040DA20
CreateThread.KERNEL32(00000000,00000000,Function_000157A7,00000000,00000000,00000000), ref: 0040DA2C
CreateThread.KERNEL32(00000000,00000000,Function_0001C19E,00000000,00000000,00000000), ref: 0040DA38
Sleep.KERNEL32(00A4CB80), ref: 0040DA49

Strings

C:\Program Files (x86)\\WinRAR\rar.exe, xrefs: 0040D942, 0040D947, 0040D956, 0040D95D
\WinRAR\rar.exe, xrefs: 0040D951

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CreateThread$Sleep$CountTick$lstrcat
String ID: C:\Program Files (x86)\\WinRAR\rar.exe$\WinRAR\rar.exe
API String ID: 4190259895-2349457676
Opcode ID: f7a52bcc0a8116c75882cc8cd0f963ec66a759b7a03b6c4eac6b932caffdbd01
Instruction ID: b5e03ec3d1ab7aa72586ffd96dea160173fde5e76d96af4e3afdbc534cda32d7
Opcode Fuzzy Hash: f7a52bcc0a8116c75882cc8cd0f963ec66a759b7a03b6c4eac6b932caffdbd01
Instruction Fuzzy Hash: A6519DE0A4535CBEF22037B26CC6E3B2E0CDA517DD714043BB406710D289BC8C998A7E

Function 004085CA Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 280
stringsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 004085DA
GetWindowsDirectoryA.KERNEL32(00000000,000000E6), ref: 00408634
lstrcpyA.KERNEL32(00000000,00000000), ref: 00408661
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408676
lstrcatA.KERNEL32(00000000,?), ref: 00408683
RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,?,00000000), ref: 004086C9
RegSetValueExA.ADVAPI32(?,00000000,?,?,00000000,00000004,?,00000004), ref: 004086F3
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,?,00000004), ref: 004086FC
Sleep.KERNEL32(000001F4,?,?,00000000,00000004,?,00000004), ref: 00408707
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0040872A
Sleep.KERNEL32(000003E8,?,?,00000000,00000004,?,00000004), ref: 00408735

Part of subcall function 004142EE: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,76AE83C0,76AE8A60), ref: 004142FE

lstrcpyA.KERNEL32(00000000,00000000), ref: 00408778
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408782
lstrcatA.KERNEL32(00000000,?), ref: 0040878F
lstrcpyA.KERNEL32(00000000,00000000), ref: 004087D0
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 004087DA
lstrcatA.KERNEL32(00000000,?), ref: 004087E7
lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 00408826
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408830
lstrcatA.KERNEL32(00000000,?), ref: 0040883D
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 00408886
lstrcatA.KERNEL32(00000000,?), ref: 00408893

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 004088D2
lstrcatA.KERNEL32(00000000,0042A3B0), ref: 004088DC
lstrcatA.KERNEL32(00000000,?), ref: 004088E9

Part of subcall function 00408324: GetComputerNameA.KERNEL32(?,?), ref: 00408492
Part of subcall function 00408324: lstrcatA.KERNEL32(?,00000001), ref: 004084A6
Part of subcall function 00408324: lstrcatA.KERNEL32(?,?), ref: 004084FE
Part of subcall function 00408324: lstrcatA.KERNEL32(?,0042A3B0), ref: 00408530
Part of subcall function 00408324: lstrcatA.KERNEL32(?,00000001), ref: 0040853A
Part of subcall function 00408324: CopyFileA.KERNEL32(0000007F,?,00000001), ref: 00408553
Part of subcall function 00408324: SetFileAttributesA.KERNEL32(?,00000080), ref: 00408565
Part of subcall function 00408324: Sleep.KERNEL32(00000001), ref: 00408583
Part of subcall function 00408324: SetFileAttributesA.KERNEL32(0000007F,00000080), ref: 00408592
Part of subcall function 00408324: DeleteFileA.KERNEL32(0000007F), ref: 00408595

lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 0040887C

Part of subcall function 00408324: GetUserNameA.ADVAPI32(?,?), ref: 0040838E
Part of subcall function 00408324: wsprintfA.USER32 ref: 004083B8
Part of subcall function 00408324: ShellExecuteA.SHELL32(00000000,00000000,takeown,?,00000000,00000000), ref: 004083CD
Part of subcall function 00408324: Sleep.KERNEL32(000007D0), ref: 004083D8
Part of subcall function 00408324: wsprintfA.USER32 ref: 004083F2
Part of subcall function 00408324: ShellExecuteA.SHELL32(00000000,00000000,icacls,?,00000000,00000000), ref: 00408407
Part of subcall function 00408324: Sleep.KERNEL32(00000BB8), ref: 00408412
Part of subcall function 00408324: lstrlenA.KERNEL32(?), ref: 00408425

Strings

C:\Windows\system32\, xrefs: 0040881A, 00408870, 004088C6

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcat$Sleeplstrcpy$File$AttributesExecuteShell$CreateNamewsprintf$CloseComputerCopyDeleteDirectorySnapshotToolhelp32UserValueWindowslstrlen
String ID: C:\Windows\system32\
API String ID: 3762291812-1520839452
Opcode ID: 4225e2a9f6c30a0eb4da557927706b4a7f56f109547df7c5c5968730367a42af
Instruction ID: c2cce530174d335f4e65662834358c013a2ccb5602420c717432df29190648c8
Opcode Fuzzy Hash: 4225e2a9f6c30a0eb4da557927706b4a7f56f109547df7c5c5968730367a42af
Instruction Fuzzy Hash: D891F1B291021C6ADB11E7E0DD45FEA77BCEB48714F5404BBF605F2081EA78AB84CB65

Function 00405D79 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 183
windowthreadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000002), ref: 00405D85
IsWindowVisible.USER32(?), ref: 00405D93
GetWindowTextA.USER32(?,?,00000080), ref: 00405DAD
GetWindowThreadProcessId.USER32(?,?), ref: 00405DBF
ShowWindow.USER32(?,00000000), ref: 00405DF9
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405E04
SetWindowPos.USER32(?,00000001,00000000,00000001,00000001,00000080), ref: 00405E15
DestroyWindow.USER32(?), ref: 00405E1C
GetClassNameA.USER32(?,?,00000020), ref: 00405E43
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405E67
ShowWindow.USER32(?,00000000), ref: 00405EC6
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405ED1
ShowWindow.USER32(?,00000000), ref: 00405ED5
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405EE0
EnableWindow.USER32(?,00000000), ref: 00405EE4
SetWindowPos.USER32(?,00000001,00000000,00000001,00000001,00000080), ref: 00405EF9
DestroyWindow.USER32(?), ref: 00405F00
ShowWindow.USER32(?,00000000), ref: 00405F59

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

GetWindowThreadProcessId.USER32(?,?), ref: 00405F37
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00405F4E
DestroyWindow.USER32(?), ref: 00405F51

Strings

twitter, xrefs: 00405DD7, 00405E8D
skype, xrefs: 00405F1C
- , xrefs: 00405EB3
tooltips_class32, xrefs: 00405E4D

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Window$MessagePost$Show$Destroy$ProcessThreadlstrlen$ClassEnableNameSleepTextVisible
String ID: - $skype$tooltips_class32$twitter
API String ID: 968148897-3706606202
Opcode ID: 3976e576093891d2386c3fc19554f5d567771aff1a74ec8261fc56ca94719168
Instruction ID: 54639c6e0f4210a215bb2e5edd6b10eb1cc48d076ecbf56d7b59a4990fe04e6e
Opcode Fuzzy Hash: 3976e576093891d2386c3fc19554f5d567771aff1a74ec8261fc56ca94719168
Instruction Fuzzy Hash: A151C1B1209705BFE620EF60EC89EAB379CEB05345F50043AF641912D1DB799E468B7E

Function 0040F0E0 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 288
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040EB47: lstrcpyA.KERNEL32(?,0042A7D4,?,0000000F,00000000,00000000,00000000,00000000,?,000000FA,%s/%s=%d,?,?), ref: 0040EB66
Part of subcall function 0040EB47: lstrlenA.KERNEL32(00000000), ref: 0040EB8A

socket.WS2_32(00000002,00000001,00000006), ref: 0040F16C
htons.WS2_32(?), ref: 0040F18E
connect.WS2_32(?,?,00000010), ref: 0040F1A1
wsprintfA.USER32 ref: 0040F1F7
lstrlenA.KERNEL32(?,00000000), ref: 0040F20A
send.WS2_32(?,?,00000000), ref: 0040F21B
select.WS2_32(?,00000001,00000000,00000000,?), ref: 0040F254
__WSAFDIsSet.WS2_32(?,00000001), ref: 0040F262
recv.WS2_32(?,?,00000001,00000000), ref: 0040F27C

Strings

content-length, xrefs: 0040F2EE
transfer-encoding, xrefs: 0040F3A1
0, xrefs: 0040F431
chunked, xrefs: 0040F3B6

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen$connecthtonslstrcpyrecvselectsendsocketwsprintf
String ID: 0$chunked$content-length$transfer-encoding
API String ID: 1838493728-40983872
Opcode ID: 235dea8b46d4ee2d5438c381730252cc5b057c6fc41e740b7cc2ad439a5dfb9d
Instruction ID: 40cfbdb6b8a0f10b890aa6bab67d98a43da17613289cd9da5c7ab6e3ab63f530
Opcode Fuzzy Hash: 235dea8b46d4ee2d5438c381730252cc5b057c6fc41e740b7cc2ad439a5dfb9d
Instruction Fuzzy Hash: FEB18A71500208AFEF21DF64DC44BEA77A9FB04704F5040BAF905E6192DB79AA89CF65

Function 0040DA5B Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 190
stringthreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00458D80,76AF0A60,00000000), ref: 0040DA72
SetErrorMode.KERNEL32(00008003), ref: 0040DAC5
GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00000104), ref: 0040DAFF
lstrcatA.KERNEL32(C:\Windows\system32\,0042A3B0), ref: 0040DB0B
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000001), ref: 0040DB4C
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000001), ref: 0040DB9B
WSAStartup.WS2_32(00000101,?), ref: 0040DBFE
InitializeCriticalSection.KERNEL32(0044F7B8), ref: 0040DC09
InitializeCriticalSection.KERNEL32(0044F79C), ref: 0040DC10
InitializeCriticalSection.KERNEL32(00459708), ref: 0040DC17
InitializeCriticalSection.KERNEL32(0045983C), ref: 0040DC1E
InitializeCriticalSection.KERNEL32(0044F7E0), ref: 0040DC25
InitializeCriticalSection.KERNEL32(00459674), ref: 0040DC2C
InitializeCriticalSection.KERNEL32(004596EC), ref: 0040DC33
InitializeCriticalSection.KERNEL32(004596D4), ref: 0040DC3A
InitializeCriticalSection.KERNEL32(004596BC), ref: 0040DC41
InitializeCriticalSection.KERNEL32(004596A4), ref: 0040DC48
InitializeCriticalSection.KERNEL32(0045968C), ref: 0040DC4F

Part of subcall function 0040C54E: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 0040C591
Part of subcall function 0040C54E: CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0040C5A7
Part of subcall function 0040C54E: GetLastError.KERNEL32 ref: 0040C5AF
Part of subcall function 0040C54E: CloseHandle.KERNEL32(00000000), ref: 0040C5BA

CreateThread.KERNEL32(00000000,00000000,0040C431,00000000,00000000,00000000), ref: 0040DC8A
CreateThread.KERNEL32(00000000,00000000,0040D1D8,00000000,00000000,00000000), ref: 0040DC96

Strings

C:\Windows\system32\, xrefs: 0040DAF9, 0040DAFE, 0040DB0A, 0040DB11
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040DB47, 0040DB96, 0040DBB8

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalInitializeSection$Create$ErrorMutexThreadlstrcpy$CloseDirectoryHandleLastModeOpenStartupSystemlstrcat
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$C:\Windows\system32\
API String ID: 3287937100-2541385624
Opcode ID: 1d8fa31ad52112eeba318bed8d9aa085e5bcca949472bfe77bc0c11535e98c15
Instruction ID: 4a85369abd0a2a9a89e7fd51754485e40c171d24ce782e2c1052b94615d691b9
Opcode Fuzzy Hash: 1d8fa31ad52112eeba318bed8d9aa085e5bcca949472bfe77bc0c11535e98c15
Instruction Fuzzy Hash: CF518D71A44254AAEA217BF56C46FAB3A589F4175AF25003BFC41311C38ABC5C4ECA7F

Function 00413E36 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E4B
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E52
GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E5C
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000104,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00413E75
GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E81
GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E88
CloseHandle.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F77
SetFileAttributesA.KERNEL32(00000000,00000006,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F82

Strings

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 00413E3C

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AttributesCloseCurrentFileHandleInformationOpen
String ID: C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\
API String ID: 3498935171-1812980290
Opcode ID: ae00fb54b3492c3a0ace82967610d98ed381333d34f1cc31c124c4b0d0481274
Instruction ID: 790f76d0c7c029a87acee6e2e27f50b46b65660552c2eddc99154039eeec75a8
Opcode Fuzzy Hash: ae00fb54b3492c3a0ace82967610d98ed381333d34f1cc31c124c4b0d0481274
Instruction Fuzzy Hash: DC411B71E00218BBDB209FA1ED4DEEE7FBCEB44705F50006AF901E2160DB749A56DB69

Function 00413F8E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,?), ref: 00413FA3
OpenProcessToken.ADVAPI32(00000000), ref: 00413FAA
GetLastError.KERNEL32 ref: 00413FB4
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,.exe), ref: 00413FD1
GetLastError.KERNEL32 ref: 00413FD9
GetLastError.KERNEL32 ref: 00413FE0
CloseHandle.KERNEL32(00000000), ref: 004140BE

Strings

.exe, xrefs: 00413FBF

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ErrorLast$ProcessToken$CloseCurrentHandleInformationOpen
String ID: .exe
API String ID: 3182025614-4119554291
Opcode ID: 1de395bec982ee16d1ba774764177e0ec6cf3ca332c2e473e0865e044f3a2139
Instruction ID: a25941590cff0d4bff0b9fb00928191c2ec88986d9cc0e69d77e81c5d1198593
Opcode Fuzzy Hash: 1de395bec982ee16d1ba774764177e0ec6cf3ca332c2e473e0865e044f3a2139
Instruction Fuzzy Hash: 92315071A00218BBDF209FE1DC48FDE7B7CEF08744F540066F605E2160DB7999959B69

Function 0040D1D8 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 91stringsleepCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 0040D21B
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040D223
lstrcatA.KERNEL32(00000000,.exe), ref: 0040D254

Part of subcall function 00414D8E: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0040D2A9,00000000), ref: 00414DA4

lstrlenA.KERNEL32(00000000), ref: 0040D22A

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 0040D276
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040D27E
lstrlenA.KERNEL32(00000000), ref: 0040D285
lstrcatA.KERNEL32(?,.exe), ref: 0040D29D
GetTickCount.KERNEL32 ref: 0040D2B6
GetTickCount.KERNEL32 ref: 0040D2CA
GetTickCount.KERNEL32 ref: 0040D2D5
Sleep.KERNEL32(00002710), ref: 0040D2E4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040D26C
C:\Windows\system32\, xrefs: 0040D211
.exe, xrefs: 0040D24B, 0040D297

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcat$CountTicklstrlen$lstrcpy$CreateFileSleep
String ID: .exe$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 157799668-577769959
Opcode ID: a14428d9e2af36542f807380719714de05a372dac77148e5a00d34e4d435e05c
Instruction ID: 1dd661079137dd266a11f3d998b1c56a89a9d41e77c259510d1bc51e0b0dfb00
Opcode Fuzzy Hash: a14428d9e2af36542f807380719714de05a372dac77148e5a00d34e4d435e05c
Instruction Fuzzy Hash: 8A21A772504315ABC610FFA0EC4599BB7DCAB84310F11082FF941A3193DA78D95D8BAB

Function 0041040C Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 226stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C

Part of subcall function 00410335: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,76AE83C0,00000000), ref: 00410393
Part of subcall function 00410335: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004103A9
Part of subcall function 00410335: CloseHandle.KERNEL32(?), ref: 004103B2

lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
lstrcatA.KERNEL32(?,?), ref: 004104CD
lstrcatA.KERNEL32(?,?), ref: 00410528
lstrcatA.KERNEL32(?,?), ref: 00410583
GetWindowsDirectoryA.KERNEL32(?,000000F0), ref: 004105CC
lstrcatA.KERNEL32(?,0042A3B0), ref: 004105DE
lstrcatA.KERNEL32(?,?), ref: 004105EE
lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 00410637
lstrcatA.KERNEL32(?,?), ref: 0041064B

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0041062B
C:\Windows\system32\, xrefs: 004104AB

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcat$lstrcpy$FileHeap$CloseCreateDirectoryFreeHandleProcessReadWindows
String ID: C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 3549376159-2518840955
Opcode ID: 5fa5fb7c4babeb1a4571ccf006c53f353e31d714d4b4cfc985645009501d3b2e
Instruction ID: d72b5c0f04a7a801b5860cc1153d31a7b218ed3e87dac02d78eebbef0ee0db9c
Opcode Fuzzy Hash: 5fa5fb7c4babeb1a4571ccf006c53f353e31d714d4b4cfc985645009501d3b2e
Instruction Fuzzy Hash: EC81E7B2D0021DABDF14DFA4CD859DEB7BCEB08304F1005A6E615E7241EB74AB858FA5

Function 004106F5 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004107DA
lstrcatA.KERNEL32(?,00000000), ref: 0041081D
lstrcatA.KERNEL32(?,00000000), ref: 0041084C
GetWindowsDirectoryA.KERNEL32(?,000000F0), ref: 0041086B
lstrcatA.KERNEL32(?,0042A3B0), ref: 0041087D
lstrcatA.KERNEL32(?,00000000), ref: 0041088D
lstrcatA.KERNEL32(?,00000000), ref: 004107EE

Part of subcall function 0041068A: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,76AE8A60,?,?,?,004108D0,?,00000000,?), ref: 004106A5
Part of subcall function 0041068A: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?,004108D0,?,00000000,?), ref: 004106B6
Part of subcall function 0041068A: WriteFile.KERNEL32(00000000,?,004108D0,?,00000000,?,?,004108D0,?,00000000,?), ref: 004106D1
Part of subcall function 0041068A: CloseHandle.KERNEL32(00000000,?,?,004108D0,?,00000000,?), ref: 004106D8
Part of subcall function 0041068A: SetFileAttributesA.KERNEL32(00000000,00000002,?,?,004108D0,?,00000000,?), ref: 004106E3

Part of subcall function 004140CA: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
Part of subcall function 004140CA: SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
Part of subcall function 004140CA: SHGetMalloc.SHELL32(?), ref: 004140F2
Part of subcall function 004140CA: lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\), ref: 004108AC
lstrcatA.KERNEL32(?,00000000), ref: 004108C0
lstrcpyA.KERNEL32(?,00000000), ref: 004108E1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004108A0
C:\Windows\system32\, xrefs: 004107CE

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcat$File$lstrcpy$AttributesHeap$AllocateCloseCountCreateDirectoryFolderFromHandleListLocationMallocPathProcessSpecialTickWindowsWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\
API String ID: 840702394-2518840955
Opcode ID: dcca97a07330aefd62fffc674e3c1aeb84b5eb98b0194e1da4ef3635850571fd
Instruction ID: e59ea0402cc0a97aad8de641f098a8acb5b0e4b41f94063a684b31080ab07657
Opcode Fuzzy Hash: dcca97a07330aefd62fffc674e3c1aeb84b5eb98b0194e1da4ef3635850571fd
Instruction Fuzzy Hash: 885133B2C4021CBADB20EBA1DC89FDF777CAB55314F0445A7B505E2041EAB497D48FA5

Function 00405B34 Relevance: 19.7, APIs: 13, Instructions: 180stringregistryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
GetDesktopWindow.USER32 ref: 00405B68
GetWindowRect.USER32(00000000), ref: 00405B6F

Part of subcall function 00410A33: EnterCriticalSection.KERNEL32(00459674,?,?,00000000,?,?,00405B7A), ref: 00410A40
Part of subcall function 00410A33: LeaveCriticalSection.KERNEL32(00459674,?,?,00000000,?,?,00405B7A), ref: 00410A70

SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 00405C17
RegDeleteValueA.KERNEL32(?,00000000), ref: 00405C37
RegCloseKey.ADVAPI32(?), ref: 00405C40
lstrlenA.KERNEL32(?), ref: 00405C70
lstrcmpiA.KERNEL32(00700D88,?), ref: 00405CA4
lstrlenA.KERNEL32(?), ref: 00405D02
lstrcmpiA.KERNEL32(00700D88,?), ref: 00405D36
LeaveCriticalSection.KERNEL32(0044F7E0), ref: 00405D70

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalSection$Delete$EnterLeaveWindowlstrcmpilstrlen$CloseCreateDesktopRectValue
String ID:
API String ID: 3629881134-0
Opcode ID: 171633bfb54bb9041f885dfeee0c62b9f49d74c97cc8cf34d6678a76fe059ef7
Instruction ID: 2034163c18fc6c54253ab763adb56740a824e02f721f4af71a6baf50f169b6c5
Opcode Fuzzy Hash: 171633bfb54bb9041f885dfeee0c62b9f49d74c97cc8cf34d6678a76fe059ef7
Instruction Fuzzy Hash: 4651F676904614ABEB20BBA19C0AADB77ACEB10305F50407BF541B6181DB786EC48F2D

Function 0040C6A0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\,776AC310,76AF0F10,00000000), ref: 0040C6D2
lstrlenA.KERNEL32(00000000), ref: 0040C6E1

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

lstrcatA.KERNEL32(?,.exe), ref: 0040C70F

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

lstrcpyA.KERNEL32(00000000,C:\Windows\system32\), ref: 0040C748
lstrlenA.KERNEL32(00000000), ref: 0040C751
lstrcatA.KERNEL32(00000000,.exe), ref: 0040C772
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0040C7AD

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040C6C6
C:\Windows\system32\, xrefs: 0040C73C
C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040C7A8
.exe, xrefs: 0040C707, 0040C76C

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcpylstrlen$lstrcat$AttributesFile
String ID: .exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe$C:\Windows\system32\
API String ID: 3674745152-3356367058
Opcode ID: b6df891b65a45cc2a615300a5c9184ea6f316ab2b91bf69aa434291407f973ad
Instruction ID: b179360706abfde640a6b66b940e8fe839b2ad012b079806e7e9c2bb175f0aee
Opcode Fuzzy Hash: b6df891b65a45cc2a615300a5c9184ea6f316ab2b91bf69aa434291407f973ad
Instruction Fuzzy Hash: BD315072D0021DEADF15DBD4DC46AED77BCAB48305F6008ABE604B3181E7B89B859F58

Function 00408D16 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D52
GetVersionExA.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D63
GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,776AC310,00000000), ref: 00408D76
GetProcAddress.KERNEL32(00000000), ref: 00408D7F
GetNativeSystemInfo.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D89
GetSystemInfo.KERNEL32(?,?,?,?,776AC310,00000000), ref: 00408D91
GetModuleHandleA.KERNEL32(kernel32.dll,GetProductInfo,?,?,?,776AC310,00000000), ref: 00408D9D
GetProcAddress.KERNEL32(00000000), ref: 00408DA0

Strings

kernel32.dll, xrefs: 00408D70, 00408D75, 00408D9C
GetProductInfo, xrefs: 00408D97
GetNativeSystemInfo, xrefs: 00408D6B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: AddressHandleInfoModuleProcSystemVersion$Native
String ID: GetNativeSystemInfo$GetProductInfo$kernel32.dll
API String ID: 3903033433-163341747
Opcode ID: fbbee03e285ec05455dee1f19f6cdfb3ba18d411294cec618d8be033263a36fd
Instruction ID: d88b8f0607474c3343ca8232b8e6d8559b1ef925911f9e6111a5faab946cfceb
Opcode Fuzzy Hash: fbbee03e285ec05455dee1f19f6cdfb3ba18d411294cec618d8be033263a36fd
Instruction Fuzzy Hash: E1219171A0025CDBDB20DFA4DC44E9E7BB8EF48340F54446AF911A7281D738A94ACF69

Function 0040C018 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,C:\Users\user\AppData\Local\Temp\,00000104,C:\Users\user\AppData\Local\Temp\,?,00000000,0040D80A), ref: 0040C02D

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,-00000006,?,00000000,0040D80A), ref: 0040C042

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

Part of subcall function 00413E36: GetCurrentProcess.KERNEL32(00000008,?,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E4B
Part of subcall function 00413E36: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E52
Part of subcall function 00413E36: GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E5C

SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,00000000,0040D80A), ref: 0040C058
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0042A3B0,?,00000000,0040D80A), ref: 0040C064
lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,00000000,0040D80A), ref: 0040C071
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,-0000000C,?,00000000,0040D80A), ref: 0040C084

Part of subcall function 00413E36: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000104,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00413E75
Part of subcall function 00413E36: GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E81
Part of subcall function 00413E36: GetLastError.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000,0040D80A), ref: 00413E88
Part of subcall function 00413E36: CloseHandle.KERNEL32(?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F77
Part of subcall function 00413E36: SetFileAttributesA.KERNEL32(00000000,00000006,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000,?,00000000), ref: 00413F82

SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,?,?,?,00000000,0040D80A), ref: 0040C09A
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,0042A3B0,?,?,?,?,00000000,0040D80A), ref: 0040C0A6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040C020, 0040C022
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\, xrefs: 0040C06B, 0040C070, 0040C083, 0040C08E, 0040C0A5
C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\, xrefs: 0040C027, 0040C02C, 0040C041, 0040C04C, 0040C057, 0040C063, 0040C06A, 0040C099

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen$AttributesErrorFileLast$ProcessTokenlstrcatlstrcpy$CloseCurrentHandleInformationOpen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\$C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\
API String ID: 1705690235-91685041
Opcode ID: a22528a4bd3f7e1b7169bd5d19fea0fd725bc73e28345ff0d74c62af98b68780
Instruction ID: d73920bf5ce4dfd11cd3351f73f73b1dc2511ad9cee57e00e81c4fc8d553fe06
Opcode Fuzzy Hash: a22528a4bd3f7e1b7169bd5d19fea0fd725bc73e28345ff0d74c62af98b68780
Instruction Fuzzy Hash: CE0184B3B4121073C1213B21AC8BFBF3A1D9F82726F04402AFD0595142CF5C566A46BF

Function 00414E03 Relevance: 15.1, APIs: 10, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00414E1A
ioctlsocket.WS2_32(00000000,8004667E,76AF23A0), ref: 00414E2D
htons.WS2_32(?), ref: 00414E3C
connect.WS2_32(00000000,00000002,00000010), ref: 00414E53
WSAGetLastError.WS2_32(?,?,00000000), ref: 00414E62
select.WS2_32(00000000,00000000,?,?,?), ref: 00414EA6
__WSAFDIsSet.WS2_32(00000000,?), ref: 00414EB8
ioctlsocket.WS2_32(00000000,8004667E,76AF23A0), ref: 00414ECA
__WSAFDIsSet.WS2_32(00000000,?), ref: 00414EE1
closesocket.WS2_32(00000000), ref: 00414EE7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ioctlsocket$ErrorLastclosesocketconnecthtonsselectsocket
String ID:
API String ID: 2173793709-0
Opcode ID: 7c2a54aeaa611af5f0956abcd23816055dea6c1293f3ca778e40e3a7da28d482
Instruction ID: e0b37a306a2363686957244b9fcd8f3cc0c7b7d42db451f1a47bf8cbf8c9e55f
Opcode Fuzzy Hash: 7c2a54aeaa611af5f0956abcd23816055dea6c1293f3ca778e40e3a7da28d482
Instruction Fuzzy Hash: C1212A75900218ABDB11DFA59C489EFBBBCFF88311F40016AF915E2251DB349E418FA9

Function 0040C34F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000), ref: 0040C37A
OpenProcessToken.ADVAPI32(00000000), ref: 0040C381
GetTokenInformation.KERNELBASE(?,00000002,?,00000400,?,C:\Users\user\AppData\Local\Temp\), ref: 0040C3A8
CloseHandle.KERNEL32(?), ref: 0040C3B3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040C392

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 215268677-787714339
Opcode ID: 3fc46e723eba71a1b8dee2f8b2f347e21d2e4dbc9b647d4307064d127fe98ce9
Instruction ID: f3f63443dbc0749890ce36748c36b560e41776e2a16b7f1285e76c09dac5efdf
Opcode Fuzzy Hash: 3fc46e723eba71a1b8dee2f8b2f347e21d2e4dbc9b647d4307064d127fe98ce9
Instruction Fuzzy Hash: B52160B2D00219FBDF119FA49C85AEEBB79BB14301F4081BAEA01B3191DB345A45DF69

Function 0040C0B1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71stringCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 0040C0F4
lstrcpyA.KERNEL32(4941262305804196,?), ref: 0040C104
GetVolumeInformationA.KERNEL32(0040DB1D,00000000,00000000,00000063,00000000,00000000,00000000,00000000), ref: 0040C136
lstrcatA.KERNEL32(4941262305804196,?), ref: 0040C152

Strings

C:\Windows\system32\, xrefs: 0040C0BA, 0040C11A
c, xrefs: 0040C0ED
2, xrefs: 0040C0E6
4941262305804196, xrefs: 0040C0FE, 0040C103, 0040C151

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ComputerInformationNameVolumelstrcatlstrcpy
String ID: 2$4941262305804196$C:\Windows\system32\$c
API String ID: 96996548-2816264590
Opcode ID: d84cf7e1718c1e54ac5a1dacb7e25b78403c8476962d3321682ff539aece8d81
Instruction ID: 22708223c646a178d41bc95d92e2a0f814173ae4769f9c09350c61bb9050823e
Opcode Fuzzy Hash: d84cf7e1718c1e54ac5a1dacb7e25b78403c8476962d3321682ff539aece8d81
Instruction Fuzzy Hash: 90114F72A4121CBFDB01DBE8DC85EEEBBBCFB18344F140466F600E6041DB745A198B65

Function 0040D09A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000,00000000), ref: 0040D0B1
lstrcpyA.KERNEL32(00000000,0040D1D5,776AC310), ref: 0040D0DB
lstrlenA.KERNEL32(00000000), ref: 0040D0E8
lstrcatA.KERNEL32(00000000,.exe), ref: 0040D11C
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 0040D12E
SetFileAttributesA.KERNEL32(00000000,00000007), ref: 0040D148

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040D0AB, 0040D0B0, 0040D137
.exe, xrefs: 0040D116

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: AttributesFilelstrlen$lstrcatlstrcpy
String ID: .exe$C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 1691315094-628786359
Opcode ID: 495355920ec7953673e0eef587f14138d5ede02e4b128155301275f2b9f1aee0
Instruction ID: bba8a6c5f5bab5744c0c80198fd7e287e6b0401e6d4ca0dbf8b47a0fecc87264
Opcode Fuzzy Hash: 495355920ec7953673e0eef587f14138d5ede02e4b128155301275f2b9f1aee0
Instruction Fuzzy Hash: D211E972904218EAEB209B94DC45BDD77ACDB05314F1044A6E940E7182D7F86BD98FA5

Function 00413BCF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413C25
CreateFileA.KERNEL32(0040D13D,40000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413C3D
ReadFile.KERNEL32(?,?,0040D13D,?,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413C6B
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413C7D
CloseHandle.KERNEL32(?,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413CAB
CloseHandle.KERNEL32(?,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413CB2

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 00413BD5

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$CloseCreateHandle$ReadSizeWrite
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 1842372638-2091069259
Opcode ID: c1c920c90bf58fdbc3e8cb355cb3d56a9521444a16e49114f34270d3f8be6db9
Instruction ID: 8831f88d7733d5c323c613fc166e52a429560689813e7087c96eeecf3537979f
Opcode Fuzzy Hash: c1c920c90bf58fdbc3e8cb355cb3d56a9521444a16e49114f34270d3f8be6db9
Instruction Fuzzy Hash: 0C31AD72D00209BFDF119FA5CC84AEFBB78EB04355F10406AF510B2290E7345A92CBA8

Function 00413A12 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,ServicesActive,000F003F,00700D88,00000000,00405B21,00700D88,00000001,?,00405BAD), ref: 00413A2B
OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,00405BAD), ref: 00413A45
ControlService.ADVAPI32(00000000,00000001,?,?,00405BAD), ref: 00413A5B
ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00405BAD), ref: 00413A7B
CloseServiceHandle.ADVAPI32(00000000,?,00405BAD), ref: 00413A82
CloseServiceHandle.ADVAPI32(00000000,?,00405BAD), ref: 00413A89

Strings

ServicesActive, xrefs: 00413A1F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Service$CloseHandleOpen$ChangeConfigControlManager
String ID: ServicesActive
API String ID: 1149404821-3071072050
Opcode ID: e339f78d4b0a7e80bd98c81ccaf5d6764f04251041539ca3299aa54bce896337
Instruction ID: f0dc7679a38273aa7a14fa9322e6c16f7626b2359b715fcf80eadf06e85900ad
Opcode Fuzzy Hash: e339f78d4b0a7e80bd98c81ccaf5d6764f04251041539ca3299aa54bce896337
Instruction Fuzzy Hash: FC0168752443947BCB115BB44C88EFF3F2C9F06393F0001A8F650B3281CE6946468339

Function 00413AAC Relevance: 12.1, APIs: 8, Instructions: 116timefileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00413AB3
GetSystemTime.KERNEL32(?,?,00407BCE,047E50D0,00408C5D,00408C5D,76AE8A60,00408C5D,?,00000000), ref: 00413AC4
SystemTimeToFileTime.KERNEL32(000007D9,00408C5D), ref: 00413AFD
SystemTimeToFileTime.KERNEL32(000007D9,?), ref: 00413B40
SystemTimeToFileTime.KERNEL32(000007D9,76AE8A60), ref: 00413B8E
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 00413BA5
SetFileTime.KERNEL32(00000000,00408C5D,76AE8A60,?), ref: 00413BBF
CloseHandle.KERNEL32(00000000), ref: 00413BC6

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Time$File$System$CloseCountCreateHandleTick
String ID:
API String ID: 1788265925-0
Opcode ID: 62f3a8fd01e86ba9802440c37d62e379551f9e638d6293a371f93cda34054580
Instruction ID: 6c0202463d9a12d9f3580f39e1f5b74af0f3cd93389b840999671226064c08cf
Opcode Fuzzy Hash: 62f3a8fd01e86ba9802440c37d62e379551f9e638d6293a371f93cda34054580
Instruction Fuzzy Hash: C031B877A90318F2CB14B795AC43BDDB77DAF19324F41002BF601B50A0EBB496468B6D

Function 00405FD0 Relevance: 12.0, APIs: 8, Instructions: 49sleepthreadwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000002), ref: 00405FD8
GetWindowThreadProcessId.USER32(?,?), ref: 00405FEB
EnableWindow.USER32(?,00000000), ref: 00405FFD
IsWindowEnabled.USER32(?), ref: 00406004
ShowWindow.USER32(?,00000000), ref: 00406010
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0040601B
SetWindowPos.USER32(?,00000001,00000000,00000001,00000001,00000080), ref: 00406034
DestroyWindow.USER32(?), ref: 0040603B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Window$DestroyEnableEnabledMessagePostProcessShowSleepThread
String ID:
API String ID: 1728564233-0
Opcode ID: 47c4687bb97f38a7d82e6fed2abff5cd8377e49c14785139af8aabca3f8013d2
Instruction ID: 5ce9f396147177345ac3bda0077170ccccec577589b9f7b93905b01a4a4ba7ac
Opcode Fuzzy Hash: 47c4687bb97f38a7d82e6fed2abff5cd8377e49c14785139af8aabca3f8013d2
Instruction Fuzzy Hash: E0012C31241114FBDB319B519D4DEAF3B7DEF86B11F4000A9FA02A6290CB795662CB7A

Function 00422B93 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0042B7F8,00000060), ref: 00422BB3
GetModuleHandleA.KERNEL32(00000000,?,0042B7F8,00000060), ref: 00422C06
GetCommandLineA.KERNEL32(?,0042B7F8,00000060), ref: 00422C9F
GetStartupInfoA.KERNEL32(?), ref: 00422CF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00422D16

Strings

5m, xrefs: 00422CA5

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: HandleModule$CommandInfoLineStartupVersion
String ID: 5m
API String ID: 2778164164-1963150287
Opcode ID: 544791c77213106303abe15329d4be5378e9b9fc1e400ee312837e66c0c246e7
Instruction ID: e61f031dfd1e6ee1ba070bf2223e8a7bfb6b0622ed2d9bb9f5bd357ba4bfd0df
Opcode Fuzzy Hash: 544791c77213106303abe15329d4be5378e9b9fc1e400ee312837e66c0c246e7
Instruction Fuzzy Hash: 2341C670F00631AAD721AF76B90566E77A0AF04715FA0442FE405AB292EBBC9942CB5D

Function 00411206 Relevance: 10.6, APIs: 7, Instructions: 67sleepnetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000927C0), ref: 00411219
Sleep.KERNEL32(00007530), ref: 00411228
Sleep.KERNEL32(000003E8), ref: 0041123D
gethostname.WS2_32(?,00000080), ref: 00411264
gethostbyname.WS2_32(?), ref: 00411272
inet_ntoa.WS2_32(?), ref: 004112A3
Sleep.KERNEL32(0000EA60), ref: 004112C0

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 826719543-0
Opcode ID: 7231b53defef9bb744e4c9a9a3d516ed9fc0ef3e16fe81c510fceb1934fb8bdb
Instruction ID: 49cc356f681f43e0345f39264a21fc1f5e604774ab5c518727903f99d3873967
Opcode Fuzzy Hash: 7231b53defef9bb744e4c9a9a3d516ed9fc0ef3e16fe81c510fceb1934fb8bdb
Instruction Fuzzy Hash: 9E212731A04744AFDB309BA4ED489EB7BA9AB09301B44057AE701F7121DB38A995C75E

Function 0040D158 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D09A: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000,00000000), ref: 0040D0B1
Part of subcall function 0040D09A: lstrcpyA.KERNEL32(00000000,0040D1D5,776AC310), ref: 0040D0DB
Part of subcall function 0040D09A: lstrlenA.KERNEL32(00000000), ref: 0040D0E8
Part of subcall function 0040D09A: lstrcatA.KERNEL32(00000000,.exe), ref: 0040D11C
Part of subcall function 0040D09A: SetFileAttributesA.KERNEL32(00000000,00000080), ref: 0040D12E
Part of subcall function 0040D09A: SetFileAttributesA.KERNEL32(00000000,00000007), ref: 0040D148

GetWindowsDirectoryA.KERNEL32(?,C:\Windows\system32\), ref: 0040D18B
lstrlenA.KERNEL32(?), ref: 0040D19C
lstrcatA.KERNEL32(0000005C,0042A3B0), ref: 0040D1B8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040D1CB
C:\Windows\system32\, xrefs: 0040D173
\, xrefs: 0040D1A2

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen$AttributesFilelstrcat$DirectoryWindowslstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Windows\system32\$\
API String ID: 2968102200-2806058128
Opcode ID: 2ed7aec3453b3e2aff95835a4acf487c9ae87da3e95239a0db27f53eae31b2c8
Instruction ID: 7a1d7f8a24643269cf3a04ab3bcaf447689481d6c68f54a33154304281eb3d5c
Opcode Fuzzy Hash: 2ed7aec3453b3e2aff95835a4acf487c9ae87da3e95239a0db27f53eae31b2c8
Instruction Fuzzy Hash: 52F04471E083086ADB2097E09D0ABD677A85B14309F5404BAE9C5F11C5DEBC95CD8A19

Function 0040D7D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\zjisvko.exe,00000104,776AC310,00000000,0040DBDD), ref: 0040D7DF
GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\), ref: 0040D7EC
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0042A3B0), ref: 0040D7F8

Part of subcall function 00414BF8: lstrcpyA.KERNEL32(00000001,00000002,776AC310,00000000,?,0040DB17,C:\Windows\system32\), ref: 00414C42

Part of subcall function 0040C018: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,C:\Users\user\AppData\Local\Temp\,00000104,C:\Users\user\AppData\Local\Temp\,?,00000000,0040D80A), ref: 0040C02D
Part of subcall function 0040C018: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,-00000006,?,00000000,0040D80A), ref: 0040C042
Part of subcall function 0040C018: SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,00000000,0040D80A), ref: 0040C058
Part of subcall function 0040C018: lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0042A3B0,?,00000000,0040D80A), ref: 0040C064
Part of subcall function 0040C018: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,?,00000000,0040D80A), ref: 0040C071
Part of subcall function 0040C018: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,-0000000C,?,00000000,0040D80A), ref: 0040C084
Part of subcall function 0040C018: SetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000007,?,?,?,?,00000000,0040D80A), ref: 0040C09A
Part of subcall function 0040C018: lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\mjvsikbqngeunkjyurda\,0042A3B0,?,?,?,?,00000000,0040D80A), ref: 0040C0A6

Part of subcall function 0040C34F: GetCurrentProcess.KERNEL32(00000008,?,00000000), ref: 0040C37A
Part of subcall function 0040C34F: OpenProcessToken.ADVAPI32(00000000), ref: 0040C381

Part of subcall function 00415EAD: RegCreateKeyExA.KERNEL32(80000002,00000000,0040D819,00000000,C:\Users\user\AppData\Local\Temp\), ref: 00415EE9
Part of subcall function 00415EAD: RegSetValueExA.KERNELBASE(0040D819,00000000,?,?,00000000,00000004,?,00000004), ref: 00415F12
Part of subcall function 00415EAD: RegCloseKey.ADVAPI32(0040D819,?,?,00000000,00000004,?,00000004), ref: 00415F1B

Part of subcall function 00415C5F: RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 00415CA3

GetTickCount.KERNEL32 ref: 0040D832

Strings

C:\Users\user\AppData\Local\Temp\zjisvko.exe, xrefs: 0040D7D8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040D7E5, 0040D7EA, 0040D7F7, 0040D7FE

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Filelstrcatlstrcpy$AttributesOpenProcesslstrlen$CloseCountCreateCurrentModuleNamePathTempTickTokenValue
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\zjisvko.exe
API String ID: 312997863-464109022
Opcode ID: 66a191b1396e23743340b3bf8f99a660aa270ad2aa5ebc0f0f600cc81104f07c
Instruction ID: 34194b556595efbbea820b7bb6b9162989cf9261f3116618f2beeb079c5b6fcb
Opcode Fuzzy Hash: 66a191b1396e23743340b3bf8f99a660aa270ad2aa5ebc0f0f600cc81104f07c
Instruction Fuzzy Hash: D7F05E32606350ABC3117BA66C09B8A2AA49B92716F44403EFC09A1193CF7D845E87BE

Function 004056A7 Relevance: 9.1, APIs: 6, Instructions: 102sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 004056CB
GetTickCount.KERNEL32 ref: 004056CF
Sleep.KERNEL32(0000000A), ref: 004057AC
Sleep.KERNEL32(000003E8), ref: 004057BB
GetTickCount.KERNEL32 ref: 004057C3
GetTickCount.KERNEL32 ref: 004057D9

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: bcbde06f772920f99a7293fb31088fc1b5cf2bf604c785bf74fd9613630a949b
Instruction ID: 8886811e3645dd5fd105ac6f2ed7bba4e59cd6dbffd4ffc0903a61d5b9bd62ff
Opcode Fuzzy Hash: bcbde06f772920f99a7293fb31088fc1b5cf2bf604c785bf74fd9613630a949b
Instruction Fuzzy Hash: FE319E60904B91DDEB32A775880436BBBE4CB52304F48087FD581A72C2C67DA888DF6F

Function 004149DC Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004138BC: inet_addr.WS2_32(00000000), ref: 004138C0
Part of subcall function 004138BC: gethostbyname.WS2_32(?), ref: 004138CF

htons.WS2_32(00000000), ref: 004149FC
socket.WS2_32(00000002,00000001,00000006), ref: 00414A11
ioctlsocket.WS2_32(00000000,8004667E,00000004), ref: 00414A2C
connect.WS2_32(00000000,00000002,00000010), ref: 00414A39
select.WS2_32(00000000,00000000,?,00000000,000001BD), ref: 00414A66
closesocket.WS2_32(00000000), ref: 00414A6F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrioctlsocketselectsocket
String ID:
API String ID: 444889835-0
Opcode ID: 4af9d196568c057da8a23582bd8704f8c3ef10ce5a943e317b25921d26bc4570
Instruction ID: ded24326bd6f7ac8a89645a0ee9b908de195810948d6fb162e011f81d8ed15d6
Opcode Fuzzy Hash: 4af9d196568c057da8a23582bd8704f8c3ef10ce5a943e317b25921d26bc4570
Instruction Fuzzy Hash: 44119171900318AFEB019FE0DC49BEEB77CFF08316F00416AFA11A6191DF749A548B98

Function 0041272F Relevance: 9.0, APIs: 6, Instructions: 38sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 00412744
CreateThread.KERNEL32(00000000,00000000,Function_000126AE,00000000,00000000,00000000), ref: 00412758
GetTickCount.KERNEL32 ref: 00412764
GetTickCount.KERNEL32 ref: 0041276C
Sleep.KERNEL32(000003E8), ref: 0041277B
Sleep.KERNEL32(0000EA60), ref: 0041278B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$CountTick$CreateThread
String ID:
API String ID: 4024735586-0
Opcode ID: 9afe8a1db201ebacc295fb3fbbfb31c18dff43c8a1ee2666920b63a3e9e06550
Instruction ID: 30102fe69749e0e27f47770975eac562594a5c07fedf616aa80d11cd1fe59ab1
Opcode Fuzzy Hash: 9afe8a1db201ebacc295fb3fbbfb31c18dff43c8a1ee2666920b63a3e9e06550
Instruction Fuzzy Hash: A0F02B70544389BFE3117B20DEC4CBB3B4CBB423847050436F4619229097885DA6977E

Function 00409201 Relevance: 9.0, APIs: 6, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00408C76,00000080,00408C76,?,?), ref: 0040920A

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

LoadLibraryA.KERNEL32(?,00000000), ref: 00409223
BeginUpdateResourceA.KERNEL32(?,00000001), ref: 00409236
EnumResourceNamesA.KERNEL32(00000000,0000000E,004091E1,00000000), ref: 0040924B
EndUpdateResourceW.KERNEL32(00000000,00000000), ref: 00409254
FreeLibrary.KERNEL32(00000000), ref: 0040925B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Resource$AttributesFileLibraryUpdate$BeginEnumFreeLoadNames
String ID:
API String ID: 980332788-0
Opcode ID: c9332b95d5ea5032ba19c90525e84cbaac37ef8b39fb654ceb47db05e253ad1c
Instruction ID: 7b0f776b340b65bee597074e77a709d4c982056f550d289e304040912e18300f
Opcode Fuzzy Hash: c9332b95d5ea5032ba19c90525e84cbaac37ef8b39fb654ceb47db05e253ad1c
Instruction Fuzzy Hash: C0F05832204212BBD6322F60FC0DF5B7E65AF85B52F444679FA41B01A1CB758C229B6A

Function 004069AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46stringsleepCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(000003FF,?), ref: 004069C0
Sleep.KERNEL32(000003E8), ref: 004069DA
lstrcpyA.KERNEL32(?,:\System Volume Information), ref: 004069FC

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

Part of subcall function 00413F8E: GetCurrentProcess.KERNEL32(00000008,00000000,?), ref: 00413FA3
Part of subcall function 00413F8E: OpenProcessToken.ADVAPI32(00000000), ref: 00413FAA
Part of subcall function 00413F8E: GetLastError.KERNEL32 ref: 00413FB4

Part of subcall function 00406718: Sleep.KERNEL32(00404909,76AEE800,00000000), ref: 00406726
Part of subcall function 00406718: wsprintfA.USER32 ref: 00406741
Part of subcall function 00406718: FindFirstFileA.KERNEL32(?,?), ref: 00406754
Part of subcall function 00406718: wsprintfA.USER32 ref: 00406798
Part of subcall function 00406718: FindNextFileA.KERNELBASE(00000000,00000010), ref: 00406820
Part of subcall function 00406718: FindClose.KERNEL32(00000000), ref: 00406830

lstrlenA.KERNEL32(00000000), ref: 00406A33

Strings

:\System Volume Information, xrefs: 004069F0

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: FileFind$ProcessSleepwsprintf$AttributesCloseCurrentDriveErrorFirstLastLogicalNextOpenStringsTokenlstrcpylstrlen
String ID: :\System Volume Information
API String ID: 37162560-840427735
Opcode ID: 1e547ddd46358945d6835e75b32b51ce569673e40d171a2a255a8dd4b7171486
Instruction ID: 3a35d430a8b653277afed3024383a8c970a327806e4800319cf946ad7f90d972
Opcode Fuzzy Hash: 1e547ddd46358945d6835e75b32b51ce569673e40d171a2a255a8dd4b7171486
Instruction Fuzzy Hash: 72012B719441695BDB20AB648C09FEA776C5B01301F8000A2A9C5B2181DA786BD68F59

Function 0041100E Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,004111F6,000000FF,00000000,00000000,00000001,00000001,00000000), ref: 0041104A

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

MultiByteToWideChar.KERNEL32(00000000,00000000,004111F6,000000FF,00000000,00000000), ref: 00411064
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000064,00000000,00000000), ref: 004110CB
lstrcpyA.KERNEL32(?,004111F6), ref: 004110DB
lstrcatA.KERNEL32(?,?), ref: 004110EF

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ByteCharMultiWide$Heap$AllocateProcesslstrcatlstrcpy
String ID:
API String ID: 639236505-0
Opcode ID: c560be55742c0ad1ca56dc250278d69ddf19ffe27204263b49b80b7badf15974
Instruction ID: 00c259d247746a2f3f9f6cbc078631993a97f025e118c40de3abb8ee35525b35
Opcode Fuzzy Hash: c560be55742c0ad1ca56dc250278d69ddf19ffe27204263b49b80b7badf15974
Instruction Fuzzy Hash: EB414C72C0021DBFDF219F94CD85DEFBBBDEB08314F5005AAF614A2190DA74AB948A64

Function 00411145 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,004112AF,00000000,00000000), ref: 00411176
lstrlenA.KERNEL32(00000000), ref: 00411180
lstrcmpA.KERNEL32(00000000,004112AF), ref: 004111B9
wsprintfA.USER32 ref: 004111E7

Strings

\\%s\, xrefs: 004111E1

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcmplstrcpylstrlenwsprintf
String ID: \\%s\
API String ID: 3485474333-3797145132
Opcode ID: 32064e61e1f49b5c9c4fb0e02d964cd57f1740343d7312fdcfdc3ce7af2f1b60
Instruction ID: 84d4c3ec829869dbe6ef3b310b516fc96ec6a1f7541f08e11886f651c211f9e4
Opcode Fuzzy Hash: 32064e61e1f49b5c9c4fb0e02d964cd57f1740343d7312fdcfdc3ce7af2f1b60
Instruction Fuzzy Hash: FA21C272A0425DBADF1097A4DC09FEE7BACBB09304F440036E704F7191E778959AC7A5

Function 00407B0A Relevance: 7.6, APIs: 5, Instructions: 55fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(76AE8A60,00000080,00000000,0044F765,75D36610,?,?,00407BCE,047E50D0,00408C5D,00408C5D,76AE8A60,00408C5D,?,00000000), ref: 00407B25
CreateFileA.KERNEL32(76AE8A60,40000000,00000002,00000000,00000002,00000080,00000000,?,00407BCE,047E50D0,00408C5D,00408C5D,76AE8A60,00408C5D,?,00000000), ref: 00407B36
WriteFile.KERNEL32(00000000,?,00408C5D,00000000,00000000,?,00407BCE,047E50D0,00408C5D,00408C5D,76AE8A60,00408C5D,?,00000000), ref: 00407B4F
CloseHandle.KERNEL32(00000000,?,00407BCE,047E50D0,00408C5D,00408C5D,76AE8A60,00408C5D,?,00000000), ref: 00407B56
SetFileAttributesA.KERNEL32(76AE8A60,00000007,?,00407BCE,047E50D0,00408C5D), ref: 00407B7F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$Attributes$CloseCreateHandleWrite
String ID:
API String ID: 692393803-0
Opcode ID: 61aed027ad1a965f9595f279dacd447d0498fcc999f5d6b0d6647d97e83e204e
Instruction ID: 40671c2e2f84df2f62c6f4eb0101908bd37021d9e9d593671b63d8caa07d46a2
Opcode Fuzzy Hash: 61aed027ad1a965f9595f279dacd447d0498fcc999f5d6b0d6647d97e83e204e
Instruction Fuzzy Hash: 13018E31905258BBEF215F649C49FDB3F68AF05364F004126FD00621D08274AE61DB66

Function 0041068A Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,76AE8A60,?,?,?,004108D0,?,00000000,?), ref: 004106A5
CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?,004108D0,?,00000000,?), ref: 004106B6
WriteFile.KERNEL32(00000000,?,004108D0,?,00000000,?,?,004108D0,?,00000000,?), ref: 004106D1
CloseHandle.KERNEL32(00000000,?,?,004108D0,?,00000000,?), ref: 004106D8
SetFileAttributesA.KERNEL32(00000000,00000002,?,?,004108D0,?,00000000,?), ref: 004106E3

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$Attributes$CloseCreateHandleWrite
String ID:
API String ID: 692393803-0
Opcode ID: a28542c8d8194dd271a427e1f27038af7f1ed474923027b7147f63bb0d485c30
Instruction ID: 8754977078fc8a3942d47795b7f5e1f7d7f30a626694bd36d382f9fa2b757add
Opcode Fuzzy Hash: a28542c8d8194dd271a427e1f27038af7f1ed474923027b7147f63bb0d485c30
Instruction Fuzzy Hash: 4501A471600208BBDB209FA5DC49FAF7F6CEB89770F504026FA0196191C6B09DA2DB64

Function 004079CF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102stringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004079EF

Part of subcall function 004140CA: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
Part of subcall function 004140CA: SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
Part of subcall function 004140CA: SHGetMalloc.SHELL32(?), ref: 004140F2
Part of subcall function 004140CA: lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

Part of subcall function 00407850: Sleep.KERNEL32(00000005,?,76AF0440,00000000), ref: 00407864
Part of subcall function 00407850: wsprintfA.USER32 ref: 00407883
Part of subcall function 00407850: FindFirstFileA.KERNEL32(?,?), ref: 00407896
Part of subcall function 00407850: wsprintfA.USER32 ref: 004078D4
Part of subcall function 00407850: FindNextFileA.KERNELBASE(00000000,00000010), ref: 0040798E

lstrlenA.KERNEL32(?,?,?,?,76AF0440), ref: 00407A46
lstrcpyA.KERNEL32(?,Desktop,?,?,?,76AF0440), ref: 00407A84

Strings

Desktop, xrefs: 00407A7D

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: FileFindwsprintf$CountFirstFolderFromListLocationMallocNextPathSleepSpecialTicklstrcatlstrcpylstrlen
String ID: Desktop
API String ID: 1306859140-3336322104
Opcode ID: ca510237f18f7b1aecf944856f38dc60a44756b65426155893608739f4359ab0
Instruction ID: d758924f8f924a0cb4478b1c2a6b9e0f80ec40a8d7e309cd9d1a2c00b3c217ad
Opcode Fuzzy Hash: ca510237f18f7b1aecf944856f38dc60a44756b65426155893608739f4359ab0
Instruction Fuzzy Hash: BF31FC71E0C218AFEB10A764EC49BEB37A99B50305F4040BBE18466192DA7C6EC4CF5A

Function 004012E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76AF0F00,76AE8A60,00000000,?,?,?,0040226A,?), ref: 0040132C

Strings

j"@, xrefs: 004012E7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$Create$CloseHandleSize
String ID: j"@
API String ID: 268543215-1802473556
Opcode ID: 31f341f7955c10033c650f1ffd4a365dfc58f77a0973fcccc59c783bf6ed1d4e
Instruction ID: b6309a742a4d43b631aa445d4cedeb094c90530624afe1bb7dca7932cb7cf88a
Opcode Fuzzy Hash: 31f341f7955c10033c650f1ffd4a365dfc58f77a0973fcccc59c783bf6ed1d4e
Instruction Fuzzy Hash: 7A21F3B6510300BFE7116FB1ED4599A3FA8EB06364F10053EF901A2170DB7C6595CB5C

Function 00415EAD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(80000002,00000000,0040D819,00000000,C:\Users\user\AppData\Local\Temp\), ref: 00415EE9
RegSetValueExA.KERNELBASE(0040D819,00000000,?,?,00000000,00000004,?,00000004), ref: 00415F12
RegCloseKey.ADVAPI32(0040D819,?,?,00000000,00000004,?,00000004), ref: 00415F1B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00415EB6

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CloseCreateValue
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1818849710-787714339
Opcode ID: 40e6c71a992a7c2e8f09d534d622b9993dff3e98155a1071289031704242a58b
Instruction ID: d33b6102d000e128b126aea15ab64def901b4170a75cf8a89fc65d3170fde99c
Opcode Fuzzy Hash: 40e6c71a992a7c2e8f09d534d622b9993dff3e98155a1071289031704242a58b
Instruction Fuzzy Hash: 4DF036B1941238BADB109B919C4AFEF7F7CEF05755F504075BA04E1051DA705B48C7A5

Function 00413D02 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000100), ref: 00413D20
LoadLibraryA.KERNEL32(sfc_os.dll), ref: 00413D2B
GetProcAddress.KERNEL32(00000000,00000005), ref: 00413D34

Strings

sfc_os.dll, xrefs: 00413D26

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: AddressByteCharLibraryLoadMultiProcWide
String ID: sfc_os.dll
API String ID: 333878435-2681931132
Opcode ID: 3c36bd2c1550f0672266681a64d7f472ae4e6c1e8223920922018f43c4b72a64
Instruction ID: b7e4b594249faae0cedef0215e17f547bd7fa22e2a5bf3066866e522bee7e195
Opcode Fuzzy Hash: 3c36bd2c1550f0672266681a64d7f472ae4e6c1e8223920922018f43c4b72a64
Instruction Fuzzy Hash: B0E04F317443147BFB205FA0EC4EFA6362CAB04B61F640354BB35E40D0EEF495998B6A

Function 0040D4A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000043), ref: 0040D4AB

Part of subcall function 00413DD8: ExitWindowsEx.USER32(00000006,00050005), ref: 00413DED

Sleep.KERNEL32(000001F4), ref: 0040D4C5
Sleep.KERNEL32(shutdown -r), ref: 0040D4D8

Strings

shutdown -r, xrefs: 0040D4C7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$CallbackDispatcherExitUserWindows
String ID: shutdown -r
API String ID: 2129780474-3966090723
Opcode ID: d65347461eb1159606083e011ae0f0cf97533425740c30ccdfe41762bb4e863b
Instruction ID: d656d09b155cd6634d9f5f8501bfea0dcfe2fee2f2a7f8f05d117fa0df0b0c8d
Opcode Fuzzy Hash: d65347461eb1159606083e011ae0f0cf97533425740c30ccdfe41762bb4e863b
Instruction Fuzzy Hash: 72D0C730B842219BD5203FE15D0775D39646F10715F81007FAD457A1D1CEBDA6619A6F

Function 00415C5F Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 00415CA3
RegQueryValueExA.KERNEL32(00000000,00000000,?,?,00000000,?,00000001,?), ref: 00415CD9
RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000001,?), ref: 00415CE6
RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000001,?), ref: 00415CEE

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: a491de724d99324340aeb177c98d6297e6913b01a10ba44178b77f50eafc96a5
Instruction ID: 351be250b04c206962fd1380f2a074eff5c3e03c83a55a2369d373208c135491
Opcode Fuzzy Hash: a491de724d99324340aeb177c98d6297e6913b01a10ba44178b77f50eafc96a5
Instruction Fuzzy Hash: 43115EB1A00218FFEB119FA0DC46FEEBBBCAB04705F50047AA505E5082EB749A449B69

Function 0040C54E Relevance: 6.0, APIs: 4, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 0040C591
CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0040C5A7
GetLastError.KERNEL32 ref: 0040C5AF
CloseHandle.KERNEL32(00000000), ref: 0040C5BA

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Mutex$CloseCreateErrorHandleLastOpenlstrlen
String ID:
API String ID: 592644537-0
Opcode ID: 000a1266c8250fe00c398a31faa2c87a8f7fc2f543a9cf41a7e6eb80620c8649
Instruction ID: c80b6dc3ec81cb7e527f81272f8b9e0629b83a31c53efe65eae3f0c2fc373074
Opcode Fuzzy Hash: 000a1266c8250fe00c398a31faa2c87a8f7fc2f543a9cf41a7e6eb80620c8649
Instruction Fuzzy Hash: 4001DB36500224BBDB325B64DC45FE63BACAB08750F0001B7FA45E61C1DAB49B898EA9

Function 004126AE Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004126D4
GetTickCount.KERNEL32 ref: 004126F4
GetTickCount.KERNEL32 ref: 00412706
Sleep.KERNEL32(00001388), ref: 00412727

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 294893e2361b1ba13b3bbcb390845a27b485d236ad8f25031e62fff4223f08ce
Instruction ID: c9d6b92abd626ca5db185230e959bef37719a4ae52968149ec7b4f218e17ecc5
Opcode Fuzzy Hash: 294893e2361b1ba13b3bbcb390845a27b485d236ad8f25031e62fff4223f08ce
Instruction Fuzzy Hash: 590161708047809AEF30AB30D6444ABBB909F113507498D5FD4E6E26D1D79DACE89B5A

Function 004140CA Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
SHGetMalloc.SHELL32(?), ref: 004140F2
lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: FolderFromListLocationMallocPathSpeciallstrcat
String ID:
API String ID: 184925564-0
Opcode ID: c5650b9585e189a1aad39bfab654fba963a07972d6129a42c432e7bc8104cf66
Instruction ID: 4893c9fcd2a20e39af297159af48713977b3e8e57404a87c3b1fccec64a73e85
Opcode Fuzzy Hash: c5650b9585e189a1aad39bfab654fba963a07972d6129a42c432e7bc8104cf66
Instruction Fuzzy Hash: D0F0E275600219FFCB109F94DC08A9A7BA8EF09315F1080A4FD05D7250D675AA12CBA6

Function 00410BF4 Relevance: 6.0, APIs: 4, Instructions: 32memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Sleep.KERNEL32(0000012C,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C14
GetProcessHeap.KERNEL32(00000008,00413E9A,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C1D
RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Heap$Process$AllocateSleep
String ID:
API String ID: 3409823521-0
Opcode ID: dc8d79010e6cb7fb2a9b52c8fd9bd5d07f5d98b887a2c5e385c4889fd42eb09a
Instruction ID: 01a82105be4d9c68f9512b8fa3753ec40f4bf94fe3f1a858fa601996ad67c288
Opcode Fuzzy Hash: dc8d79010e6cb7fb2a9b52c8fd9bd5d07f5d98b887a2c5e385c4889fd42eb09a
Instruction Fuzzy Hash: D7E0D83274121877C020279BAD45F5BF75CDFD5BA4F414022F704971509AA6686286FA

Function 0040D016 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C472: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 0040C4B4

ShellExecuteA.SHELL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000,00000000,00000001), ref: 0040D06C
Sleep.KERNEL32(000007D0), ref: 0040D080

Strings

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe, xrefs: 0040D065

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ExecuteMutexOpenShellSleep
String ID: C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe
API String ID: 3313497417-2091069259
Opcode ID: 117c280adc1b803f575a3237ff7414ec7e63fe4d44f94df6fb0d4f2777152324
Instruction ID: 3e9c2417071d30d14c851cbdd2542e738391786d2d5ab44393d6f6cb1bd2832f
Opcode Fuzzy Hash: 117c280adc1b803f575a3237ff7414ec7e63fe4d44f94df6fb0d4f2777152324
Instruction Fuzzy Hash: 59F0AF61AC1214A9FE2067F09C92FF713080B1231EF14013BBD84B60C3CAAD0C4ED26D

Function 004156F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 00415701
GetWindowTextA.USER32(?,?,00000078), ref: 00415711

Strings

Twitter, xrefs: 0041571A

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: SleepTextWindow
String ID: Twitter
API String ID: 1325625986-3654763050
Opcode ID: 064e06eff7cba56788296dd554277bd5bcdb24fe66745113e8d5994929ac3a61
Instruction ID: 2a0e3f0a641bcea6516841aa513571c01fddd2f65c57e64924d831f9732283cf
Opcode Fuzzy Hash: 064e06eff7cba56788296dd554277bd5bcdb24fe66745113e8d5994929ac3a61
Instruction Fuzzy Hash: 0DF02271A04114EFDB10DB60D84AEEA7BA8FF04304F50806BF815C72D1EB38E885C759

Function 00410335 Relevance: 4.6, APIs: 3, Instructions: 84fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,76AE83C0,00000000), ref: 00410393
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004103A9
CloseHandle.KERNEL32(?), ref: 004103B2

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$CloseCreateHandleHeap$AllocateProcessReadSizelstrlen
String ID:
API String ID: 3521016810-0
Opcode ID: e87de52dd8e88f286967c1eff207711887f7482a07c82e20ed90b173d74b53ad
Instruction ID: 5bf679c8028eb031669f3285946201917d3a701bc05667cd36c703c6161c815c
Opcode Fuzzy Hash: e87de52dd8e88f286967c1eff207711887f7482a07c82e20ed90b173d74b53ad
Instruction Fuzzy Hash: 70212572500208BFDB20AF65DC85EEB7B68EF41364F10042AF950E7180EBB89AD0CB65

Function 0040245C Relevance: 4.6, APIs: 3, Instructions: 62sleepnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E03: socket.WS2_32(00000002,00000001,00000006), ref: 00414E1A
Part of subcall function 00414E03: ioctlsocket.WS2_32(00000000,8004667E,76AF23A0), ref: 00414E2D
Part of subcall function 00414E03: htons.WS2_32(?), ref: 00414E3C
Part of subcall function 00414E03: connect.WS2_32(00000000,00000002,00000010), ref: 00414E53
Part of subcall function 00414E03: WSAGetLastError.WS2_32(?,?,00000000), ref: 00414E62
Part of subcall function 00414E03: select.WS2_32(00000000,00000000,?,?,?), ref: 00414EA6
Part of subcall function 00414E03: __WSAFDIsSet.WS2_32(00000000,?), ref: 00414EB8
Part of subcall function 00414E03: ioctlsocket.WS2_32(00000000,8004667E,76AF23A0), ref: 00414ECA

send.WS2_32(00000000,?,0000000A,00000000), ref: 004024AF
Sleep.KERNEL32(000003E8,?,?,?,?,?,76AF23A0,?,?,004132DF,00003EE0,00003EE0), ref: 004024BA
closesocket.WS2_32(00000000), ref: 004024E5

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ioctlsocket$ErrorLastSleepclosesocketconnecthtonsselectsendsocket
String ID:
API String ID: 2050872176-0
Opcode ID: 594b18c2408706cde238c60673fabe3dde89ddc923651aed0ec5ce55a4ff25a5
Instruction ID: ec0fecb526b010ebb54ffab285d2fd429f80eeafa325eacc7e4220b2904c4743
Opcode Fuzzy Hash: 594b18c2408706cde238c60673fabe3dde89ddc923651aed0ec5ce55a4ff25a5
Instruction Fuzzy Hash: 1201D632644218BFEF216B94DD46DEF3B6CEB09354F000036FE04B51D1E67A5E5687AA

Function 00401E2A Relevance: 4.6, APIs: 3, Instructions: 62fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

CreateFileA.KERNEL32(0040C791,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,76AE83C0,76AE8A60,?,0040C791,00000000), ref: 00401E78
ReadFile.KERNEL32(00000000,00000000,00000000,0040C791,00000000,?,00000000,76AE83C0,76AE8A60,?,0040C791,00000000), ref: 00401E8E
CloseHandle.KERNEL32(?,?,00000000,76AE83C0,76AE8A60,?,0040C791,00000000), ref: 00401E97

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$CloseCreateHandle$ReadSize
String ID:
API String ID: 544545239-0
Opcode ID: e69d7c9796f7011418dbdc12bb5b1820b9feb26d2d6a72cc67a0287690586167
Instruction ID: 70d0acc40c6bbc286e2840f8266f4b633dd67f2653dc02f1a20cf65559c156c9
Opcode Fuzzy Hash: e69d7c9796f7011418dbdc12bb5b1820b9feb26d2d6a72cc67a0287690586167
Instruction Fuzzy Hash: 8A0126719042087BDB212BA59C89EFF3F6CDF423A8F10016AF901720D1DA7D0A5686A9

Function 004015BB Relevance: 4.6, APIs: 3, Instructions: 57fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041382B: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
Part of subcall function 0041382B: GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
Part of subcall function 0041382B: CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

Part of subcall function 00410BF4: GetProcessHeap.KERNEL32(00000008,00413E9A,TokenIntegrityLevel,76AEE010,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052), ref: 00410C05
Part of subcall function 00410BF4: RtlAllocateHeap.NTDLL(00000000,?,76AE83C0,00413E9A,00000000,76AE83C0,?,?,?,?,?,76AF0440,0040C052,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,00000000), ref: 00410C20

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,76AF23A0), ref: 004015F4
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040160B
CloseHandle.KERNEL32(00000000), ref: 00401612

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$CloseCreateHandleHeap$AllocateProcessReadSize
String ID:
API String ID: 1554977068-0
Opcode ID: f319484c08961f7058206c12f5d498bb27d9632b74153328f5358bc5bd752ab7
Instruction ID: 437f12209849ad53b107f50a2360d686c4f8b310406f18f1b6bf1e92a4d40f60
Opcode Fuzzy Hash: f319484c08961f7058206c12f5d498bb27d9632b74153328f5358bc5bd752ab7
Instruction Fuzzy Hash: AC01F9314442087FDB116BA59C85FEE7FB8DF05374F04006AF941761E1DA7A0A97C769

Function 0040928F Relevance: 4.5, APIs: 3, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

LoadLibraryA.KERNEL32(00409404,76AE83C0,?,?,00409404), ref: 004092AA
EnumResourceNamesA.KERNEL32(00000000,0000000E,00409264,00000000), ref: 004092C2
FreeLibrary.KERNEL32(00000000,?,00409404), ref: 004092C9

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Library$AttributesEnumFileFreeLoadNamesResource
String ID:
API String ID: 2488163118-0
Opcode ID: 9f6b4d6cef0f2ea5774dd501f037b3dceafdfd7fed8f049d80365b9b6919557a
Instruction ID: 5d606b248aeee1f7ae5c7b3174170a0de79bc4e61d012c978a38f7f46c235745
Opcode Fuzzy Hash: 9f6b4d6cef0f2ea5774dd501f037b3dceafdfd7fed8f049d80365b9b6919557a
Instruction Fuzzy Hash: EFE06D32601218FBDB219FA1ED09FDE7AA8EF0075AF0401A5FC01B1190D779CE129AA9

Function 0041382B Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,76AF3520,00000000,00413BDE,?,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe), ref: 00413843
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 0041384D
CloseHandle.KERNEL32(00000000,?,?,?,?,0040D13D,C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe,00000000), ref: 00413856

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: a7e7e2852162d901733bd9cb003451e439e81ea291194a1f39b14b788c7c5ea1
Instruction ID: 4a430e91a8f863336b2687282291e13684705547ea1748166e0690fd64c8d12b
Opcode Fuzzy Hash: a7e7e2852162d901733bd9cb003451e439e81ea291194a1f39b14b788c7c5ea1
Instruction Fuzzy Hash: 98E0C23639022077D7301737AC0EFA73DA9EBC6F31F040134FE01E2190C9644962C265

Function 00409445 Relevance: 3.1, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00409456
GetTickCount.KERNEL32 ref: 0040947E

Part of subcall function 004140CA: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,76AE8A60,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140DE
Part of subcall function 004140CA: SHGetPathFromIDListA.SHELL32(?,?,?,?,0041080C,00000026,?,?,00000000,?), ref: 004140E8
Part of subcall function 004140CA: SHGetMalloc.SHELL32(?), ref: 004140F2
Part of subcall function 004140CA: lstrcatA.KERNEL32(?,0042A3B0,?,?,0041080C,00000026,?,?,00000000,?), ref: 00414113

Part of subcall function 004092D5: Sleep.KERNEL32(00000005,?,?,00000000), ref: 004092E3
Part of subcall function 004092D5: wsprintfA.USER32 ref: 00409304
Part of subcall function 004092D5: FindFirstFileA.KERNEL32(?,?), ref: 0040932F
Part of subcall function 004092D5: wsprintfA.USER32 ref: 00409379
Part of subcall function 004092D5: FindClose.KERNEL32(00000000), ref: 00409427

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountFindTickwsprintf$CloseFileFirstFolderFromListLocationMallocPathSleepSpeciallstrcat
String ID:
API String ID: 1771340629-0
Opcode ID: de2d4fffb14a53561be6066af87212ad6e40e30e842f28538245181382f3ddf5
Instruction ID: d43fa70b2e8546f669071ef85ae958b19b834022825b6d14a38872369a11e59a
Opcode Fuzzy Hash: de2d4fffb14a53561be6066af87212ad6e40e30e842f28538245181382f3ddf5
Instruction Fuzzy Hash: 39112972D0021CFADF14E6A59C06BDE7B7C9F14314F1404EBFA04A7082D6B95EC68B58

Function 00415755 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

EnumWindows.USER32(004156F5,?), ref: 0041577E
EnumWindows.USER32(004156F5,?), ref: 00415795

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 8c3c258de0779b9c8e79a4f210a95e61b6b4d78123848c425870111b3621d7f7
Instruction ID: 08bc3dfc3ca57a7b19c1323d72fd326351c4c93af85a7a59c5340015e754f61c
Opcode Fuzzy Hash: 8c3c258de0779b9c8e79a4f210a95e61b6b4d78123848c425870111b3621d7f7
Instruction Fuzzy Hash: E7F07F76E00208EB8B00DF99D8808DEFBB8AB89210B5080BBE515E3250D674AA448FA4

Function 00425B9F Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00422C60,00000000,?,0042B7F8,00000060), ref: 00425BB0

Part of subcall function 00427433: HeapAlloc.KERNEL32(00000000,00000140,00425BD8,000003F8,?,0042B7F8,00000060), ref: 00427440

HeapDestroy.KERNEL32(?,0042B7F8,00000060), ref: 00425BE3

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 515d63fb8d1a4909140f08a63f5b198cdef78c224400cc72ab3f26efe8c330c1
Instruction ID: 7544e6c939ce91180a6ab0966c6dc760d355c7477ffebe0e505c52c9fcc3e56c
Opcode Fuzzy Hash: 515d63fb8d1a4909140f08a63f5b198cdef78c224400cc72ab3f26efe8c330c1
Instruction Fuzzy Hash: 5AE04870B547505BDB116F71BD0572A7EF4DB44757FD4043AF400C9190FB789550D50A

Function 00414EF4 Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413A97: GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

SetFileAttributesA.KERNEL32(?,00000080,00000000,0040D390,00000000), ref: 00414F15
DeleteFileA.KERNEL32(?), ref: 00414F23

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: File$Attributes$Delete
String ID:
API String ID: 3735447641-0
Opcode ID: 8ac88836f2ab90761ba2384d917984e8a8679a44354fc932b9654ae0036aab30
Instruction ID: c8b0946db805fe60de2d8deca71c357936a8c388aae56265ab53df069b0f119a
Opcode Fuzzy Hash: 8ac88836f2ab90761ba2384d917984e8a8679a44354fc932b9654ae0036aab30
Instruction Fuzzy Hash: 80D017322065316AA5153B66BC0AADF2B5D9F92326F02805BF94096190DF5C6AD307AE

Function 004138BC Relevance: 3.0, APIs: 2, Instructions: 13networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 004138C0
gethostbyname.WS2_32(?), ref: 004138CF

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: eb76842224a1faf79450d25f8aee8274ca296761e667cb97ba039a537268e28f
Instruction ID: 4bc32c79bd011178c67701030c92f42e53953f8fcabd8697eb53bb383bf72a4a
Opcode Fuzzy Hash: eb76842224a1faf79450d25f8aee8274ca296761e667cb97ba039a537268e28f
Instruction Fuzzy Hash: CED09234204600DFCF119F24D98998AB7E5BF45722B5446A9F469D72B1CB35ED80AA09

Function 00410C3B Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 969254deb2add1187b88b354c7ae7fe4fc641dc09986d8278be8f81eb28bda17
Instruction ID: a6d593b0423ec023e5a7d9a3c9df955ab54794e0b81865e68d434db1e99dc6aa
Opcode Fuzzy Hash: 969254deb2add1187b88b354c7ae7fe4fc641dc09986d8278be8f81eb28bda17
Instruction Fuzzy Hash: E7C04C35604201EBDF155F909A0CB4A7A68AB54702F40C414B646910A0A6B58491EF56

Function 00410B43 Relevance: 2.6, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004596A4,776AC310,00000000,?,00000000,?,?,0040DC70), ref: 00410B4F

Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C
Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 004104CD
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 00410528

LeaveCriticalSection.KERNEL32(004596A4), ref: 00410BC7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalSectionlstrcatlstrcpy$EnterLeave
String ID:
API String ID: 2748643047-0
Opcode ID: f3a8277ca17723fda54409e048a50b36382ac72469a9019fcfd8bdcfa53f4e2c
Instruction ID: 68974133c59aea05669214fb2f6e98e2e9ec4fd86eb8517214c824c61ba99a5f
Opcode Fuzzy Hash: f3a8277ca17723fda54409e048a50b36382ac72469a9019fcfd8bdcfa53f4e2c
Instruction Fuzzy Hash: DB01C43111C3499AE321A7A5A846BEB7A888B5275DF14005FF54411283DADE6CC883BF

Function 00410A33 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00459674,?,?,00000000,?,?,00405B7A), ref: 00410A40

Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C
Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 004104CD
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 00410528

LeaveCriticalSection.KERNEL32(00459674,?,?,00000000,?,?,00405B7A), ref: 00410A70

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalHeapSectionlstrcatlstrcpy$EnterFreeLeaveProcess
String ID:
API String ID: 1635794589-0
Opcode ID: 697349440ad3a4c0738cd5f6c8bd4ea0e9e62dab480b8c700343a3dd22e704f2
Instruction ID: dedfa05831604fd7aa66069306e70089590955466a8fafaf4790451171396cef
Opcode Fuzzy Hash: 697349440ad3a4c0738cd5f6c8bd4ea0e9e62dab480b8c700343a3dd22e704f2
Instruction Fuzzy Hash: 84E06137641118BBD70023569C06CDF77ACCF93328704003BF500E32429E998D4A597D

Function 00408CB0 Relevance: 2.5, APIs: 2, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00007530), ref: 00408CCC
Sleep.KERNEL32(00007530), ref: 00408CE1

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 70eec187e1bc74f4e42c313e75ceff032a5979c6d60e0dc90678fd465b164588
Instruction ID: 5b76fad1b3a3026ba39646696a2718e3d834ec5acfd08c0accd955a09e5b93b0
Opcode Fuzzy Hash: 70eec187e1bc74f4e42c313e75ceff032a5979c6d60e0dc90678fd465b164588
Instruction Fuzzy Hash: 29F02E5080E3586AF311A7602E41ABB3A2C6396300F0401BFE5C023282DE3C5D87A77F

Function 00410A7D Relevance: 2.5, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004596EC), ref: 00410A89

Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C
Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 004104CD
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 00410528

LeaveCriticalSection.KERNEL32(004596EC), ref: 00410AB5

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalHeapSectionlstrcatlstrcpy$EnterFreeLeaveProcess
String ID:
API String ID: 1635794589-0
Opcode ID: cb4259ecb53f39bd3b364a17de4d70ebb816f14b877915ec9a5bf24efd05947b
Instruction ID: 558c6fed377a1a06ef59d79f974a0448eb50e41ddbc5651fbdd80fc1f002dbfb
Opcode Fuzzy Hash: cb4259ecb53f39bd3b364a17de4d70ebb816f14b877915ec9a5bf24efd05947b
Instruction Fuzzy Hash: CEE0D836500219B7CA013352AC06CEF376CCFC1325700007BF900A1142AFA84A5655BE

Function 00410ABF Relevance: 2.5, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004596D4), ref: 00410ACB

Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C
Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 004104CD
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 00410528

LeaveCriticalSection.KERNEL32(004596D4), ref: 00410AF7

Part of subcall function 00403B3B: EnterCriticalSection.KERNEL32(0044F7B8), ref: 00403BBA
Part of subcall function 00403B3B: LeaveCriticalSection.KERNEL32(0044F7B8), ref: 00403C08

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalSection$EnterHeapLeavelstrcatlstrcpy$FreeProcess
String ID:
API String ID: 4118261277-0
Opcode ID: 3ca2dd48f282690bd00df644f2c080bdf3a1012e893f5bb480b587024acb2e23
Instruction ID: 8a82e384ee3cd6b6b9046089204b46f66385678c75452ab7dc64b47551c4a3b9
Opcode Fuzzy Hash: 3ca2dd48f282690bd00df644f2c080bdf3a1012e893f5bb480b587024acb2e23
Instruction Fuzzy Hash: 16E0D836500219B7C61167529C06CEF376CCFD2369704003AFA00A1142AFA85A4656BE

Function 00410B01 Relevance: 2.5, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004596BC), ref: 00410B0D

Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,?,004596A4,00000000,00000000), ref: 0041046C
Part of subcall function 0041040C: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004104B7
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 004104CD
Part of subcall function 0041040C: lstrcatA.KERNEL32(?,?), ref: 00410528

LeaveCriticalSection.KERNEL32(004596BC), ref: 00410B39

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalHeapSectionlstrcatlstrcpy$EnterFreeLeaveProcess
String ID:
API String ID: 1635794589-0
Opcode ID: 61f23f1feac9da1857be3caf15ea46eb45817ce79b3c0bc689132db51f1595d8
Instruction ID: 01a1a5974bb7879706257b999bec6720d2d3efde8f67bc32b552a0164b2f4e70
Opcode Fuzzy Hash: 61f23f1feac9da1857be3caf15ea46eb45817ce79b3c0bc689132db51f1595d8
Instruction Fuzzy Hash: 57E0D837504109B7DA0133569C06CEF7B6CCFC1329B10007AFA00A1142ABA85A4655BE

Function 00410905 Relevance: 2.5, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00459674,?,?,?,?,00405B90), ref: 00410911
LeaveCriticalSection.KERNEL32(00459674,?,?,?,?,00405B90), ref: 0041093C

Part of subcall function 004106F5: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004107DA
Part of subcall function 004106F5: lstrcatA.KERNEL32(?,00000000), ref: 004107EE
Part of subcall function 004106F5: lstrcatA.KERNEL32(?,00000000), ref: 0041081D

Part of subcall function 00410C3B: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410C48
Part of subcall function 00410C3B: RtlFreeHeap.NTDLL(00000000), ref: 00410C4F

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalHeapSectionlstrcat$EnterFreeLeaveProcesslstrcpy
String ID:
API String ID: 3323972785-0
Opcode ID: ae954d6f5e76fe2422a43cd1b0bd73ce42c99be91e418301e9b9b40bd99de99e
Instruction ID: 2e67d144bda5db5fde53bec597ac830df5b377d2de92b0413c9f70af8a64aae9
Opcode Fuzzy Hash: ae954d6f5e76fe2422a43cd1b0bd73ce42c99be91e418301e9b9b40bd99de99e
Instruction Fuzzy Hash: 13E02037600105B3DB1033679C09CDF362CCFC2719B04007AF600A1142AEA88A5199BD

Function 00410A09 Relevance: 2.5, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004596A4,76AF0F10,0040DCA6), ref: 00410A10

Part of subcall function 004106F5: lstrcpyA.KERNEL32(?,C:\Windows\system32\), ref: 004107DA
Part of subcall function 004106F5: lstrcatA.KERNEL32(?,00000000), ref: 004107EE
Part of subcall function 004106F5: lstrcatA.KERNEL32(?,00000000), ref: 0041081D

LeaveCriticalSection.KERNEL32(004596A4), ref: 00410A2B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalSectionlstrcat$EnterLeavelstrcpy
String ID:
API String ID: 21580356-0
Opcode ID: dbad786902521ef2a43ae6b9d13e0d40a3c77f57740725f7f0cc5ceb27dd9b6e
Instruction ID: 8ffb7ea9a24c77e789fc70eeb2b3611c4f5ddf6054abb4146ee1ef14009210d2
Opcode Fuzzy Hash: dbad786902521ef2a43ae6b9d13e0d40a3c77f57740725f7f0cc5ceb27dd9b6e
Instruction Fuzzy Hash: 94C01232A85620EBD30123507C0AACA26085F1A71AF054062BA04A018247CA0DBA42EF

Function 00406B26 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(00000000), ref: 00406B2A

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 59ebdadbfa4fd2ac7ce1fdd4255f708b262a8d421ab261c42ac288045bea9f76
Instruction ID: 390f8c9e623fd061238ed2f251397991bed3ec6c024a29537ca926e32217f973
Opcode Fuzzy Hash: 59ebdadbfa4fd2ac7ce1fdd4255f708b262a8d421ab261c42ac288045bea9f76
Instruction Fuzzy Hash: 68E0C0A29011308ADF3467089444FA673F45B42355F174177E856FB2E5C63CADA1A68D

Function 004094E3 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00402188,00000080,76AE83C0), ref: 004094F5

Part of subcall function 00409445: GetTickCount.KERNEL32 ref: 00409456
Part of subcall function 00409445: GetTickCount.KERNEL32 ref: 0040947E

Part of subcall function 00409201: SetFileAttributesA.KERNEL32(00408C76,00000080,00408C76,?,?), ref: 0040920A
Part of subcall function 00409201: LoadLibraryA.KERNEL32(?,00000000), ref: 00409223
Part of subcall function 00409201: BeginUpdateResourceA.KERNEL32(?,00000001), ref: 00409236
Part of subcall function 00409201: EnumResourceNamesA.KERNEL32(00000000,0000000E,004091E1,00000000), ref: 0040924B
Part of subcall function 00409201: EndUpdateResourceW.KERNEL32(00000000,00000000), ref: 00409254
Part of subcall function 00409201: FreeLibrary.KERNEL32(00000000), ref: 0040925B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Resource$AttributesCountFileLibraryTickUpdate$BeginEnumFreeLoadNames
String ID:
API String ID: 332485259-0
Opcode ID: aa2399a63ca9aae241752629d7ee7372cca2ecd2683ada0a11be860c9fc6ac4e
Instruction ID: 7a13fce82ae193ae15c9ef1ea134f81cf1a0ad1ef5f9e46982e1901b7c9d945b
Opcode Fuzzy Hash: aa2399a63ca9aae241752629d7ee7372cca2ecd2683ada0a11be860c9fc6ac4e
Instruction Fuzzy Hash: D1E09276908108BADF609A64DC09FC97BA85B50304F0044A5B5C8B5092EAB4A6D98B55

Function 00414D8E Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0040D2A9,00000000), ref: 00414DA4

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: be5cc59e789f861664658e48bd89c188ad812a6811f4700a052b99e26e539987
Instruction ID: 1e1558fb8b0164460d63e7c9d042b0b03a7d8c51ed854541774a8aeec67ebbc2
Opcode Fuzzy Hash: be5cc59e789f861664658e48bd89c188ad812a6811f4700a052b99e26e539987
Instruction Fuzzy Hash: E8C092303C0300BAFE314A00AC07F047611A740F01F304014BB80BC0E085E12165960D

Function 00413A97 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,0040C71D,00000000), ref: 00413A9B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6a766d55de5806cb64bf156286ed74061e33ddd11af47f180c1e3163fbbd4410
Instruction ID: 7233bf50e2f4aa5628624fa1b3fb2043d1fc11f99b5e30410f9e75dee4eb0990
Opcode Fuzzy Hash: 6a766d55de5806cb64bf156286ed74061e33ddd11af47f180c1e3163fbbd4410
Instruction Fuzzy Hash: CEB012753140008BCB1807349C4D04D35506F447317600B7CB033D11F0D721CD71BA01

Function 004076C6 Relevance: 1.3, APIs: 1, Instructions: 22sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00007530), ref: 004076DD

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a699e3b7de746c953ddd410e926f528a0fc1db7196d3279a8b389d05279905bd
Instruction ID: b41233fd9f10432f29f029f0335cdb505235e2ac6c4645e7a9acbac9401b36fb
Opcode Fuzzy Hash: a699e3b7de746c953ddd410e926f528a0fc1db7196d3279a8b389d05279905bd
Instruction Fuzzy Hash: 35E0DF20D4C30466F320A2698C0EBE63A580704324F0004B3AA563B1D2DABD7E9587AF

Function 00405B01 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A,?,00405BAD), ref: 00405B25

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fc5a16abde3c5393a59e43420f29fb8d6d7f096dde32d6ffd8f3b158bb0a1046
Instruction ID: b3a6002bbe992a08d0682ba018f63b08d0f08f75ac90016549530ea76ecb5310
Opcode Fuzzy Hash: fc5a16abde3c5393a59e43420f29fb8d6d7f096dde32d6ffd8f3b158bb0a1046
Instruction Fuzzy Hash: CDE0CD31A04B205BE7366710BD05B9337E4DF05720F04056BE440371D05B787D81C69D

Non-executed Functions

Function 00401000 Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 190stringfilesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,76AE83C0,76AE8A60,00000000), ref: 00401010
wsprintfA.USER32 ref: 00401028
FindFirstFileA.KERNEL32(?,?), ref: 0040103F
wsprintfA.USER32 ref: 0040108E
lstrcpyA.KERNEL32(?,?), ref: 004011CA
lstrcatA.KERNEL32(?,0042A3B0), ref: 004011D4
lstrcatA.KERNEL32(?,?), ref: 004011E4
lstrcpyA.KERNEL32(?,?), ref: 00401215
lstrcatA.KERNEL32(?,0042A3B0), ref: 0040121B
lstrcatA.KERNEL32(?,?), ref: 0040122B
CopyFileA.KERNEL32(?,?,00000001), ref: 0040123D
FindNextFileA.KERNEL32(?,00000010), ref: 0040124D
FindClose.KERNEL32(?), ref: 00401260

Strings

.ppt, xrefs: 0040114F
.jpeg, xrefs: 00401102
.3gp, xrefs: 00401194
.bmp, xrefs: 0040117D
.gif, xrefs: 00401138
.rtf, xrefs: 0040111D
%s\%s, xrefs: 00401088
.txt, xrefs: 004011AB
.jpg, xrefs: 004010E7
%s\*, xrefs: 00401022
.xls, xrefs: 00401166
.doc, xrefs: 004010CC

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcat$FileFind$lstrcpywsprintf$CloseCopyFirstNextSleep
String ID: %s\%s$%s\*$.3gp$.bmp$.doc$.gif$.jpeg$.jpg$.ppt$.rtf$.txt$.xls
API String ID: 410483186-4223433645
Opcode ID: 1bcf79c679bfb750c70df176564b50a258270a4ebb8da8457167ef855b4bdc68
Instruction ID: 8443bdfcda034cd6fdbb2585da044ab3805babf66fc6f46138fa2843509b9348
Opcode Fuzzy Hash: 1bcf79c679bfb750c70df176564b50a258270a4ebb8da8457167ef855b4bdc68
Instruction Fuzzy Hash: A55174B29043589BDF25DBA0ED49BDE77ACEB08315F5400ABFD04E2190E778DB948B19

Function 0040C15D Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 228sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040C2F4

Part of subcall function 0040FB2F: socket.WS2_32(00000002,00000001,00000006), ref: 0040FB65
Part of subcall function 0040FB2F: htons.WS2_32(00000050), ref: 0040FB83
Part of subcall function 0040FB2F: connect.WS2_32(?,?,00000010), ref: 0040FB96
Part of subcall function 0040FB2F: wsprintfA.USER32 ref: 0040FBD0
Part of subcall function 0040FB2F: lstrlenA.KERNEL32(?,00000000), ref: 0040FBE3
Part of subcall function 0040FB2F: send.WS2_32(?,?,00000000), ref: 0040FBF4
Part of subcall function 0040FB2F: select.WS2_32(?,?,00000000,00000000,?), ref: 0040FC3E
Part of subcall function 0040FB2F: __WSAFDIsSet.WS2_32(?,00000001), ref: 0040FC4E
Part of subcall function 0040FB2F: recv.WS2_32(?,?,00000001,00000000), ref: 0040FC6C

Sleep.KERNEL32(00000BB8), ref: 0040C329
GetTickCount.KERNEL32 ref: 0040C33E

Strings

www.myspace.com/, xrefs: 0040C1A1
www.imdb.com/, xrefs: 0040C290
www.yahoo.com/, xrefs: 0040C1DF
www.google.com/, xrefs: 0040C16A
www.youtube.com/, xrefs: 0040C1BF
www.blogger.com/, xrefs: 0040C236
www.ebay.com/, xrefs: 0040C2C0
www.wikipedia.org/, xrefs: 0040C218
www.baidu.com/, xrefs: 0040C2A8
www.bbc.co.uk/, xrefs: 0040C272
www.facebook.com/, xrefs: 0040C183
www.adobe.com/, xrefs: 0040C254

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountTick$Sleepconnecthtonslstrlenrecvselectsendsocketwsprintf
String ID: www.adobe.com/$www.baidu.com/$www.bbc.co.uk/$www.blogger.com/$www.ebay.com/$www.facebook.com/$www.google.com/$www.imdb.com/$www.myspace.com/$www.wikipedia.org/$www.yahoo.com/$www.youtube.com/
API String ID: 3648696511-323873284
Opcode ID: 9e277fce805c9b07a1fc8073f56270704cef46285c160d440713ce7cae9850b5
Instruction ID: c479cdd90be6b905ce81e7c7198eb54ca4105a7e4ea340f09c4b04c9a81f1d90
Opcode Fuzzy Hash: 9e277fce805c9b07a1fc8073f56270704cef46285c160d440713ce7cae9850b5
Instruction Fuzzy Hash: 3A51D132910E247EE753DDBCD8012DBB6676F4E311F4205B1EE05FB120D6F66D4A8A86

Function 0040604A Relevance: 16.6, APIs: 11, Instructions: 83sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B34: EnterCriticalSection.KERNEL32(0044F7E0), ref: 00405B51
Part of subcall function 00405B34: GetDesktopWindow.USER32 ref: 00405B68
Part of subcall function 00405B34: GetWindowRect.USER32(00000000), ref: 00405B6F
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BCA
Part of subcall function 00405B34: SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00405BEB
Part of subcall function 00405B34: RegCreateKeyExA.KERNEL32(80000002,00000000,00000000,?,00000000), ref: 00405C17
Part of subcall function 00405B34: RegDeleteValueA.KERNEL32(?,00000000), ref: 00405C37
Part of subcall function 00405B34: RegCloseKey.ADVAPI32(?), ref: 00405C40
Part of subcall function 00405B34: lstrlenA.KERNEL32(?), ref: 00405C70

GetTickCount.KERNEL32 ref: 0040607B
Sleep.KERNEL32(00000BB8,00000001), ref: 0040608C
GetTickCount.KERNEL32 ref: 0040609A
Sleep.KERNEL32(00001388), ref: 004060AE
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004060B4
Process32First.KERNEL32 ref: 004060CF
EnumWindows.USER32(Function_00005FD0,00000128), ref: 00406102
Sleep.KERNEL32(00000002), ref: 0040610D
Process32Next.KERNEL32(00000000,?), ref: 00406119
CloseHandle.KERNEL32(00000000), ref: 00406124
CloseHandle.KERNEL32(00000000), ref: 00406130

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CloseDeleteSleep$CountCreateHandleProcess32TickWindow$CriticalDesktopEnterEnumFirstNextRectSectionSnapshotToolhelp32ValueWindowslstrlen
String ID:
API String ID: 409001591-0
Opcode ID: 9d0e6eae3604a372fa46df5f1dae91aa69ce446534dff376f8f2ce8baae24cbc
Instruction ID: 6d14e935c9f0d40d690cf77a63c9d9c3f0f734b2a94bd45cc227ede2a9c64a07
Opcode Fuzzy Hash: 9d0e6eae3604a372fa46df5f1dae91aa69ce446534dff376f8f2ce8baae24cbc
Instruction Fuzzy Hash: D22105712443009FE720EB709C49B6B77ACEB40315F01093BF956A12C1DB7CD829C66A

Function 0041394A Relevance: 12.0, APIs: 8, Instructions: 26clipboardstringmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0041394C
EmptyClipboard.USER32 ref: 00413957
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413961
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041396E
GlobalLock.KERNEL32(00000000), ref: 00413977
lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413982
GlobalUnlock.KERNEL32(00000000), ref: 00413989
SetClipboardData.USER32(00000001,00000000), ref: 00413992

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ClipboardGlobal$AllocDataEmptyLockOpenUnlocklstrcpylstrlen
String ID:
API String ID: 3563369359-0
Opcode ID: d1bfc2bec72121191d5fdeca06325dad68d51be11a781bbeb7cc51d1b5ca18e6
Instruction ID: 03cfffbadc2426e9481ae38d35fbcacdd2f81c373927c6d6a8f287d221c63894
Opcode Fuzzy Hash: d1bfc2bec72121191d5fdeca06325dad68d51be11a781bbeb7cc51d1b5ca18e6
Instruction Fuzzy Hash: A1E0C9B1645211EFDB222BA0AD0DBAA3A28FF05753F404464F90A91161CF754962CBBB

Function 0042185B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0042185F
GetTickCount.KERNEL32 ref: 00421892
Sleep.KERNEL32(00000064,?,?,76AF23A0), ref: 0042189E
Sleep.KERNEL32(000003E8,?,?,76AF23A0), ref: 004218B5

Strings

(9F, xrefs: 00421871

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountSleepTick
String ID: (9F
API String ID: 2804873075-1478797141
Opcode ID: 563e7cb43550c95dcfdcc4b756396648e8eae4d2fb5d0f5d49cce62bc54be093
Instruction ID: 602608fe2a53e29e7fbdf509ec23d8455fc930f4c724492092ef177562ae7c18
Opcode Fuzzy Hash: 563e7cb43550c95dcfdcc4b756396648e8eae4d2fb5d0f5d49cce62bc54be093
Instruction Fuzzy Hash: 38F05961B083A46FE3106760FC84B2F3B488B62369F444036FC88512A2D75A0924C27F

Function 0041C853 Relevance: 77.3, APIs: 41, Strings: 3, Instructions: 333windowsleepCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 0041C86F

Part of subcall function 00413761: lstrlenA.KERNEL32(0042A784,776AC310,00000001,0042A784,0040DAA0,00000001,0042A784), ref: 00413799
Part of subcall function 00413761: lstrlenA.KERNEL32(00000001), ref: 0041379F

IsWindowVisible.USER32(?), ref: 0041C89C

Part of subcall function 0041435D: GetDesktopWindow.USER32 ref: 0041436A
Part of subcall function 0041435D: GetWindowRect.USER32(00000000), ref: 00414377
Part of subcall function 0041435D: GetWindowRect.USER32(00000000,?), ref: 00414381
Part of subcall function 0041435D: SetWindowTextA.USER32(00000000,0042A440), ref: 0041438F
Part of subcall function 0041435D: ShowWindow.USER32(00000000,00000001,?,?,?), ref: 00414401
Part of subcall function 0041435D: SetWindowPos.USER32(00000000,000000FF,?,00000000,00000000,00000000,00000040,?,?,?), ref: 0041441C
Part of subcall function 0041435D: ShowWindow.USER32(00000000,00000001,?,?,?), ref: 00414425
Part of subcall function 0041435D: SetForegroundWindow.USER32(00000000), ref: 00414432
Part of subcall function 0041435D: SetFocus.USER32(00000000,?,?,?), ref: 0041443B
Part of subcall function 0041435D: SetForegroundWindow.USER32(00000000), ref: 0041443E
Part of subcall function 0041435D: SetFocus.USER32(00000000,?,?,?), ref: 00414441
Part of subcall function 0041435D: SetForegroundWindow.USER32(00000000), ref: 00414444
Part of subcall function 0041435D: SetFocus.USER32(00000000,?,?,?), ref: 00414447
Part of subcall function 0041435D: Sleep.KERNEL32(00000064,?,?,?), ref: 0041444B
Part of subcall function 0041435D: ShowWindow.USER32(00000000,00000001,?,?,?), ref: 00414454

GetDesktopWindow.USER32 ref: 0041C901
GetWindowRect.USER32(00000000), ref: 0041C908
GetWindowRect.USER32(?,?), ref: 0041C90F
SetWindowTextA.USER32(?,0042A440), ref: 0041C917
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 0041C93C
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0041C973
ShowWindow.USER32(?,00000000), ref: 0041C97B
GetTickCount.KERNEL32 ref: 0041C999
SetForegroundWindow.USER32(?), ref: 0041C9AC
SetFocus.USER32(?), ref: 0041C9B9
SetForegroundWindow.USER32(?), ref: 0041C9BC
SetFocus.USER32(?), ref: 0041C9C3
SetForegroundWindow.USER32(?), ref: 0041C9C6
SetFocus.USER32(?), ref: 0041C9CD
Sleep.KERNEL32(00000064), ref: 0041C9D1
PostMessageA.USER32(?,00000100,00000009,00000000), ref: 0041C9EE
PostMessageA.USER32(?,00000100,00000026,00000000), ref: 0041C9F6
PostMessageA.USER32(?,00000100,0000000D,00000000), ref: 0041C9FE
GetWindowRect.USER32(?,?), ref: 0041CA73
Sleep.KERNEL32(000001F4), ref: 0041CA80
SetFocus.USER32(?), ref: 0041CAC7
GetWindowRect.USER32(?,?), ref: 0041CB3C
GetSystemMetrics.USER32(00000005), ref: 0041CB46
GetSystemMetrics.USER32(00000007), ref: 0041CB4F
GetSystemMetrics.USER32(00000008), ref: 0041CB5B

Strings

tSkNotify, xrefs: 0041C957
tSkMainForm., xrefs: 0041C87B
tSkACLForm., xrefs: 0041C8EC

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Window$Focus$ForegroundRect$MessagePostShow$MetricsSleepSystem$DesktopTextlstrlen$ClassCountNameTickVisible
String ID: tSkACLForm.$tSkMainForm.$tSkNotify
API String ID: 3615854559-155394806
Opcode ID: 9b82ce25023f09f4f641c2b1a6fed4b20d919e2426a02ab249a4bd5809e70122
Instruction ID: 33e34fc2864a5c1f50d125138dd43901c9e19477e55f8c9ec2e9d27e71862bec
Opcode Fuzzy Hash: 9b82ce25023f09f4f641c2b1a6fed4b20d919e2426a02ab249a4bd5809e70122
Instruction Fuzzy Hash: 08B1E671940208BFEB11EFA4DC85FEF3B78EF05714F100056F904A6291DB799A91DBA9

Function 0041E94D Relevance: 48.1, APIs: 17, Strings: 15, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0041E95A

Part of subcall function 0041D048: EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
Part of subcall function 0041D048: lstrlenA.KERNEL32(?), ref: 0041D066
Part of subcall function 0041D048: SendMessageA.USER32(0000004A,00000000), ref: 0041D082
Part of subcall function 0041D048: LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

Sleep.KERNEL32(0000000A), ref: 0041E969
Sleep.KERNEL32(0000000A), ref: 0041E977
Sleep.KERNEL32(0000000A), ref: 0041E985
Sleep.KERNEL32(0000000A), ref: 0041E993
Sleep.KERNEL32(0000000A), ref: 0041E9A1
Sleep.KERNEL32(0000000A), ref: 0041E9AF
Sleep.KERNEL32(0000000A), ref: 0041E9BD
Sleep.KERNEL32(0000000A), ref: 0041E9CB
Sleep.KERNEL32(0000000A), ref: 0041E9D9
Sleep.KERNEL32(0000000A), ref: 0041E9E7
Sleep.KERNEL32(0000000A), ref: 0041E9F5
Sleep.KERNEL32(0000000A), ref: 0041EA03
Sleep.KERNEL32(0000000A), ref: 0041EA11
Sleep.KERNEL32(0000000A), ref: 0041EA1F
Sleep.KERNEL32(0000000A), ref: 0041EA29
Sleep.KERNEL32(0000000A), ref: 0041EA37

Strings

GET PROFILE BIRTHDAY, xrefs: 0041E987
GET PROFILE IPCOUNTRY, xrefs: 0041E9B1
GET PROFILE ABOUT, xrefs: 0041EA05
GET PROFILE COUNTRY, xrefs: 0041E9A3
GET PROFILE FULLNAME, xrefs: 0041E979
GET PROFILE PSTN_BALANCE, xrefs: 0041E96B
GET PROFILE PHONE_HOME, xrefs: 0041E9CD
GET PROFILE PHONE_MOBILE, xrefs: 0041E9E9
GET PROFILE TIMEZONE, xrefs: 0041EA2B
GET PROFILE CITY, xrefs: 0041E9BF
GET PROFILE PHONE_OFFICE, xrefs: 0041E9DB
GET PROFILE MOOD_TEXT, xrefs: 0041EA13
GET PROFILE SEX, xrefs: 0041E995
GET PROFILE HOMEPAGE, xrefs: 0041E9F7
GET CURRENTUSERHANDLE, xrefs: 0041E95C, 0041E961, 0041EA21

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$CriticalSection$EnterLeaveMessageSendlstrlen
String ID: GET CURRENTUSERHANDLE$GET PROFILE ABOUT$GET PROFILE BIRTHDAY$GET PROFILE CITY$GET PROFILE COUNTRY$GET PROFILE FULLNAME$GET PROFILE HOMEPAGE$GET PROFILE IPCOUNTRY$GET PROFILE MOOD_TEXT$GET PROFILE PHONE_HOME$GET PROFILE PHONE_MOBILE$GET PROFILE PHONE_OFFICE$GET PROFILE PSTN_BALANCE$GET PROFILE SEX$GET PROFILE TIMEZONE
API String ID: 2946355272-1195147660
Opcode ID: 0e05c6c380154905a828118fb1f3ec784fd830000eda53cf48dd39c78da103a4
Instruction ID: 0586fa8bb1ab81b82726b65ea7d9d3e3f81e2f51b5616a92291bba97b2517846
Opcode Fuzzy Hash: 0e05c6c380154905a828118fb1f3ec784fd830000eda53cf48dd39c78da103a4
Instruction Fuzzy Hash: DE11B792F9152C3950253276BC8BD7F4F2CC9C9B7DBA4041FF504491831F8C29C6A9BA

Function 0040901B Relevance: 45.2, APIs: 30, Instructions: 162windowCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040902E
LoadResource.KERNEL32(?,00000000), ref: 00409042
LockResource.KERNEL32(00000000), ref: 0040904F
SizeofResource.KERNEL32(?,00000000), ref: 0040905D
UpdateResourceA.KERNEL32(?,?,?,?,?,00000000), ref: 00409074
LookupIconIdFromDirectoryEx.USER32(?,00000001,00000010,00000010,00000000), ref: 00409086
FindResourceA.KERNEL32(?,?,00000003), ref: 00409097
LoadResource.KERNEL32(?,00000000), ref: 004090A3
LockResource.KERNEL32(00000000), ref: 004090A6
SizeofResource.KERNEL32(?,?), ref: 004090B1
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 004090C6
LookupIconIdFromDirectoryEx.USER32(?,00000001,00000030,00000030,00000000), ref: 004090D8
FindResourceA.KERNEL32(?,?,00000003), ref: 004090E9
LoadResource.KERNEL32(?,00000000), ref: 004090F5
LockResource.KERNEL32(00000000), ref: 004090F8
SizeofResource.KERNEL32(?,?), ref: 00409103
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 00409118
LookupIconIdFromDirectoryEx.USER32(?,00000001,00000020,00000020,00000000), ref: 0040912A
FindResourceA.KERNEL32(?,?,00000003), ref: 0040913B
LoadResource.KERNEL32(?,00000000), ref: 00409147
LockResource.KERNEL32(00000000), ref: 0040914A
SizeofResource.KERNEL32(?,?), ref: 00409155
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 0040916A
FindResourceA.KERNEL32(?,00000000,00000003), ref: 0040917E
LoadResource.KERNEL32(?,00000000), ref: 0040918E
LockResource.KERNEL32(00000000), ref: 00409191
SizeofResource.KERNEL32(?,?), ref: 0040919C
UpdateResourceA.KERNEL32(?,00000003,?,?,?,00000000), ref: 004091B3
FreeResource.KERNEL32(?), ref: 004091CE
FreeResource.KERNEL32(?), ref: 004091D4

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofUpdate$DirectoryFromIconLookup$Free
String ID:
API String ID: 4293049711-0
Opcode ID: a1d6c37a740b477b33ebc72f89dac7cc81a38640dfe682816ad91298d220abaf
Instruction ID: 117c28e06bb043129752a4c397bc6654641652e639958cb8c3de27d6e2a33916
Opcode Fuzzy Hash: a1d6c37a740b477b33ebc72f89dac7cc81a38640dfe682816ad91298d220abaf
Instruction Fuzzy Hash: 3E512E71518300BFE7125F61DD05F2FBAEDFF89B04F400919FA84A1160C676CA219F6A

Function 00428152 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0042C208,?,?,00000000,0042C278,00000008,00424DB3), ref: 0042816A
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00428186
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00428197
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004281A4
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 004281BA
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004281CB

Strings

GetProcessWindowStation, xrefs: 004281C5
, xrefs: 00428207
user32.dll, xrefs: 00428165
GetLastActivePopup, xrefs: 00428199
MessageBoxA, xrefs: 00428180
GetUserObjectInformationA, xrefs: 004281B4
GetActiveWindow, xrefs: 00428191

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: $GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-752805172
Opcode ID: c2cec2979fd55be9cd4a166be65f200ccb460f2b7fc8e12480f4fc6254f4e7c0
Instruction ID: 72c22d4f7f03d427608bec40e611ae1e70230dce0bfe9de60929506030e41661
Opcode Fuzzy Hash: c2cec2979fd55be9cd4a166be65f200ccb460f2b7fc8e12480f4fc6254f4e7c0
Instruction Fuzzy Hash: F4219830B01765EAD7209FA4BC84B6F7AA89B45B41F90007FE500D6192EEB8D9119B7E

Function 0040E8AC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149stringsleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001770,00000000,?,00000000,000003E8,?,00404494,?,?,00000000,00000000,?,?,?,00000000,00000002), ref: 0040E8C5
lstrcpyA.KERNEL32(00000000,http://,?,?,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0040E8F7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E901
lstrcpyA.KERNEL32(00000000,00000000,?,?,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0040E90D
GetTickCount.KERNEL32 ref: 0040E94C
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E964
lstrcpyA.KERNEL32(00000400,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E979
htons.WS2_32(00000000), ref: 0040E9B1
CreateThread.KERNEL32(00000000,00000000,0040E690,00000000,00000000,?), ref: 0040EA64
CreateThread.KERNEL32(00000000,00000000,0040DDC2,00000000,00000000,?), ref: 0040EA7E
Sleep.KERNEL32(00000032), ref: 0040EA89

Strings

http://, xrefs: 0040E8DE, 0040E8E3, 0040E8F5

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcpy$CreateSleepThread$CountTickhtonslstrcatlstrlen
String ID: http://
API String ID: 3177099081-1121587658
Opcode ID: e830a236873730002828955a5455564e52cdf548c6e0eef8d29869c03a7d8624
Instruction ID: ce0d3c27ecb2eeb20cac135d9def360aaa073816567bcac841eaba6cd55d9888
Opcode Fuzzy Hash: e830a236873730002828955a5455564e52cdf548c6e0eef8d29869c03a7d8624
Instruction Fuzzy Hash: 5151D4B0604744EFC7219F35C845AD77BA8BF05314F00083EF96E96292D738A925CB6D

Function 00429043 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0042B908,00000001,0042B908,00000001,0042C4D8,00000040,00427184,00000001,?,00000000,00422306,00000000,?,0042413A), ref: 0042906F
GetLastError.KERNEL32(?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 00429081
GetCPInfo.KERNEL32(76AF0F00,00000000,0042C4D8,00000040,00427184,00000001,?,00000000,00422306,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310), ref: 0042912B
MultiByteToWideChar.KERNEL32(76AF0F00,00000009,00000000,?,00000000,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 004291B9
MultiByteToWideChar.KERNEL32(76AF0F00,00000001,00000000,?,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 00429232
MultiByteToWideChar.KERNEL32(76AF0F00,00000009,776AC310,00000000,00000000,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 0042924F
MultiByteToWideChar.KERNEL32(76AF0F00,00000001,776AC310,00000000,?,00000000,?,0042413A,00000000,76AF0F00,00000000,776AC310,C:\Windows\system32\), ref: 004292C5

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: e32b7b48b83c6e9d5d1115c6ec31c10b8bff38056a486a14eaf21c473df95895
Instruction ID: 508109000cae9e2cdd248d7729261c4b8c559b822e122794a458f7e770b08d33
Opcode Fuzzy Hash: e32b7b48b83c6e9d5d1115c6ec31c10b8bff38056a486a14eaf21c473df95895
Instruction Fuzzy Hash: FAB1AF71B00269EBDF21CF65EC85AAE7BB5EF48710F90001BF814A62A1D7398D61CB59

Function 00425830 Relevance: 12.1, APIs: 8, Instructions: 131COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(76AF0A60,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 0042584C
GetLastError.KERNEL32(?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 00425860
GetEnvironmentStringsW.KERNEL32(76AF0A60,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 00425882
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,76AF0A60,00000000,?,?,?,?,00422CAF), ref: 004258B6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 004258D8
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 004258F1
GetEnvironmentStrings.KERNEL32(76AF0A60,00000000,?,?,?,?,00422CAF,?,0042B7F8,00000060), ref: 00425907
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00425943

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: 14d9f0102edccd77b9f672c77a2969e39bce88967141998df9fc879381f07455
Instruction ID: ba898672c03263d1d32ad627b9c1e0deaafb00e3c435e1c8e460b17607d3aaf7
Opcode Fuzzy Hash: 14d9f0102edccd77b9f672c77a2969e39bce88967141998df9fc879381f07455
Instruction Fuzzy Hash: C33116B2704535AFDB207F65BC8483BBA8CEB453A47D5093BF541C3310E6B98C9186AE

Function 00415104 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 143stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,76AF0F00), ref: 00415114
lstrlenA.KERNEL32(-00000005), ref: 00415209
lstrlenA.KERNEL32(-00000005), ref: 00415211
lstrcpyA.KERNEL32(?,-00000005), ref: 00415220
lstrlenA.KERNEL32(00000000), ref: 00415250
lstrcpyA.KERNEL32(?,00000000), ref: 00415261

Strings

http://, xrefs: 00415194

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: http://
API String ID: 805584807-1121587658
Opcode ID: 6c7806ccabbd8fcc7ee7238832fd813b5b7c4b1b92c6720e6b48b731c2fd7ef9
Instruction ID: bda494b76298140d12da1d84aad608d97d7fbce1a881ed08e858e6e482b803ec
Opcode Fuzzy Hash: 6c7806ccabbd8fcc7ee7238832fd813b5b7c4b1b92c6720e6b48b731c2fd7ef9
Instruction Fuzzy Hash: 5941C631E04A55FFEB328A64CC487EFBBB1AB91314F1444A7C98592242C37C4AC6CB59

Function 0041C01E Relevance: 10.6, APIs: 7, Instructions: 67sleepwindowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,?,?,?,75D42B40), ref: 0041C067

Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000200,004153D7,?), ref: 004172FA
Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000021,004153D7,02040001), ref: 00417305
Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000201,00000001,?), ref: 00417310
Part of subcall function 004172D4: PostMessageA.USER32(004153D7,00000202,00000001,?), ref: 0041731B

Sleep.KERNEL32(000001F4,?,?,?,75D42B40,?,?,?,?,?,?,?,?,?,?,004215C9), ref: 0041C09F
GetCursorPos.USER32(?), ref: 0041C0A5
SetCursorPos.USER32(?,004215C9,?,?,?,75D42B40,?,?,?,?,?,?,?,?,?,?), ref: 0041C0B7
Sleep.KERNEL32(00000032,?,?,?,75D42B40,?,?,?,?,?,?,?,?,?,?,004215C9), ref: 0041C0BB
Sleep.KERNEL32(00000032,?,?,?,75D42B40,?,?,?,?,?,?,?,?,?,?,004215C9), ref: 0041C0C4
SetCursorPos.USER32(?,?,?,?,?,75D42B40,?,?,?,?,?,?,?,?,?,?), ref: 0041C0CC

Part of subcall function 0041435D: GetDesktopWindow.USER32 ref: 0041436A
Part of subcall function 0041435D: GetWindowRect.USER32(00000000), ref: 00414377
Part of subcall function 0041435D: GetWindowRect.USER32(00000000,?), ref: 00414381
Part of subcall function 0041435D: SetWindowTextA.USER32(00000000,0042A440), ref: 0041438F
Part of subcall function 0041435D: ShowWindow.USER32(00000000,00000001,?,?,?), ref: 00414401
Part of subcall function 0041435D: SetWindowPos.USER32(00000000,000000FF,?,00000000,00000000,00000000,00000040,?,?,?), ref: 0041441C
Part of subcall function 0041435D: ShowWindow.USER32(00000000,00000001,?,?,?), ref: 00414425
Part of subcall function 0041435D: SetForegroundWindow.USER32(00000000), ref: 00414432
Part of subcall function 0041435D: SetFocus.USER32(00000000,?,?,?), ref: 0041443B
Part of subcall function 0041435D: SetForegroundWindow.USER32(00000000), ref: 0041443E
Part of subcall function 0041435D: SetFocus.USER32(00000000,?,?,?), ref: 00414441
Part of subcall function 0041435D: SetForegroundWindow.USER32(00000000), ref: 00414444
Part of subcall function 0041435D: SetFocus.USER32(00000000,?,?,?), ref: 00414447
Part of subcall function 0041435D: Sleep.KERNEL32(00000064,?,?,?), ref: 0041444B
Part of subcall function 0041435D: ShowWindow.USER32(00000000,00000001,?,?,?), ref: 00414454

Part of subcall function 0041723B: GetWindowRect.USER32(00000025,?), ref: 0041725B
Part of subcall function 0041723B: GetClientRect.USER32(00000025,?), ref: 00417266
Part of subcall function 0041723B: GetWindowInfo.USER32(00000025,?), ref: 00417271
Part of subcall function 0041723B: GetWindow.USER32(00000025,00000005), ref: 0041729C

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Window$FocusMessagePostRectSleep$CursorForegroundShow$ClientDesktopInfoText
String ID:
API String ID: 2348713440-0
Opcode ID: 5a471075d71d43247140f0b3b8ab528cf1292858723f251d4d5d341eeea68240
Instruction ID: 8d1f864990b006e87c7e47a02d893c60dad91602a936ac63b34a93652cf90b4e
Opcode Fuzzy Hash: 5a471075d71d43247140f0b3b8ab528cf1292858723f251d4d5d341eeea68240
Instruction Fuzzy Hash: 0D11AF32900208FBDF11AFE0DC06ADE3F3AEF48310F104096FD146A191D67656A2DBA9

Function 004058E5 Relevance: 8.9, APIs: 7, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00405927
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00405976
lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040599C
lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004059EB
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00405A1B

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 7eb4fc7c4cff398a8127e18a8ebeb016428abaad0fb7e5a14e772a828084fa8e
Instruction ID: 29111852331fc9f6b874d3848e252dbb7bd2cb62a335b53481466694710a7231
Opcode Fuzzy Hash: 7eb4fc7c4cff398a8127e18a8ebeb016428abaad0fb7e5a14e772a828084fa8e
Instruction Fuzzy Hash: 5C312B72504A11BBE710BB20AC06AAB7799EB05324F50083FF544B71C1EB7DAD55CAAD

Function 00417016 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00416896: GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168B8
Part of subcall function 00416896: GetAdaptersInfo.IPHLPAPI(00000000,76AF23A0), ref: 004168DA
Part of subcall function 00416896: inet_addr.WS2_32(000001D8), ref: 004168ED

gethostname.WS2_32(?,00000080), ref: 0041704F
gethostbyname.WS2_32(?), ref: 00417065

Part of subcall function 00416BF1: lstrlenA.KERNEL32(00459868,004170BD,00000001,?,?,?,76AF23A0), ref: 00416BFF

GetTickCount.KERNEL32 ref: 004170BE

Part of subcall function 004136FF: lstrlenA.KERNEL32(4941262305804196,C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\,0040C034,?,00000000,0040D80A), ref: 00413708

Part of subcall function 00413663: lstrlenA.KERNEL32(4941262305804196,?,?,00000000), ref: 00413691

inet_ntoa.WS2_32(?), ref: 004170EC

Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?,00417108,0042A774,?,TCP,?,00000000,?,?,?,?,?,?,76AF23A0), ref: 00416EDF
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F08
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F2F
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F58
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416F7F
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416FA6
Part of subcall function 00416E93: lstrcatA.KERNEL32(?,?), ref: 00416FCF

Strings

TCP, xrefs: 004170F6

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: lstrcat$lstrlen$AdaptersInfo$CountTickgethostbynamegethostnameinet_addrinet_ntoa
String ID: TCP
API String ID: 2422590998-617288268
Opcode ID: e1602f64369b46a3807cfafc907e5879a1d62b839d2e3dace35d8ca8e897e3f8
Instruction ID: b1e24fbc6d044a6cad89cbc1356073e7b4529d59893941b7878710fa553d88fd
Opcode Fuzzy Hash: e1602f64369b46a3807cfafc907e5879a1d62b839d2e3dace35d8ca8e897e3f8
Instruction Fuzzy Hash: 4931E872944218AFDF21AFB4DC42DEA37B8AF08344F14043AFA11D2212DA39D9858765

Function 00425952 Relevance: 7.6, APIs: 5, Instructions: 142COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(76AF0A60), ref: 004259A9
GetFileType.KERNEL32(00000800), ref: 00425A50
GetStdHandle.KERNEL32(-000000F6), ref: 00425AA9
GetFileType.KERNEL32(00000000), ref: 00425AB7

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: FileType$HandleInfoStartup
String ID:
API String ID: 2290155327-0
Opcode ID: f8f63ec4bba8fd702233c63b22d656da169e2781094af63c60f0cb75cb52c619
Instruction ID: d2a862219b93b2636bbf7e154969fd1a02f9e5da5015a8ccb00956fe4b263de6
Opcode Fuzzy Hash: f8f63ec4bba8fd702233c63b22d656da169e2781094af63c60f0cb75cb52c619
Instruction Fuzzy Hash: AD512771704A618FD7208F28EC857667BA0AB05335F99836BD4A2CB2E0E778D841C71A

Function 0041A836 Relevance: 7.6, APIs: 5, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0045A2D8,?,76AE8A60,00000000,?,00401F4A,?,?), ref: 0041A852
lstrlenA.KERNEL32(0045A2D8,00000000,00401F4A,?,?), ref: 0041A86A
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041A898
ReadFile.KERNEL32(00000000,?,00000400,?,00000000), ref: 0041A8FA
CloseHandle.KERNEL32(?), ref: 0041A903

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Filelstrlen$CloseCreateHandleRead
String ID:
API String ID: 3969191716-0
Opcode ID: f1bc365878a1fba07598aae656edbd1a92688bd0fca3672f0b62f6462dadd13d
Instruction ID: 70d8934ea1e1ab713b593232fcf5332bb3268c6813b75f36181d3b14db31b1a8
Opcode Fuzzy Hash: f1bc365878a1fba07598aae656edbd1a92688bd0fca3672f0b62f6462dadd13d
Instruction Fuzzy Hash: 542171B2900118BFDB20AB94DC41EEF777CEB04354F5001AAFB05E3150D6356EA69B7A

Function 00415042 Relevance: 7.6, APIs: 5, Instructions: 76keyboardsleepCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,00000190,?,76AF0F00), ref: 0041507B
SendInput.USER32(00000001,?,0000001C), ref: 004150A1
Sleep.KERNEL32(00000064), ref: 004150A5
SendInput.USER32(00000001,?,0000001C), ref: 004150D3
SendInput.USER32(00000001,?,0000001C), ref: 004150FD

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: InputSend$Sleep
String ID:
API String ID: 240672775-0
Opcode ID: 7b81f98a793ce5abd1e9060f4b5e1a42909660d45532c886f336ca13e155e941
Instruction ID: 9f290cfd91dfee7e366b78b15d6756e3afb169dd54bad8c08db7a4cfee71d3d9
Opcode Fuzzy Hash: 7b81f98a793ce5abd1e9060f4b5e1a42909660d45532c886f336ca13e155e941
Instruction Fuzzy Hash: 79212FA2D4021CBBDB11ABD6EC8AEDFFFBCEF50314F100427F601B2160E264565987A6

Function 004200F9 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004201D8
Sleep.KERNEL32(000007D0), ref: 00420207

Part of subcall function 0041411E: GetTickCount.KERNEL32 ref: 0041411E

Strings

d, xrefs: 00420192
CHAT CREATE %s, xrefs: 004201D2

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountSleepTickwsprintf
String ID: CHAT CREATE %s$d
API String ID: 21340384-1393571586
Opcode ID: 6ff5e123241310e84f5d937806fdfd97bc892e57cf58ef5ee357e48b1a968bb9
Instruction ID: 9b9521ded8b57a1770c2347fc0122ac2a4d25d25d1d9837db78de688113ac97f
Opcode Fuzzy Hash: 6ff5e123241310e84f5d937806fdfd97bc892e57cf58ef5ee357e48b1a968bb9
Instruction Fuzzy Hash: 0941D430604744DFC720EF69D8859AAFBE1FF04304B55896FE08A87652CB39E894CB5E

Function 004208C4 Relevance: 6.1, APIs: 4, Instructions: 102stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F8B9: GetTickCount.KERNEL32 ref: 0041F92B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F966
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F985
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F990
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F99B
Part of subcall function 0041F8B9: lstrlenA.KERNEL32(?), ref: 0041F9A2
Part of subcall function 0041F8B9: lstrcatA.KERNEL32(?,0042A4E0), ref: 0041F9B2

lstrcmpiA.KERNEL32(?,?), ref: 00420951
lstrcpynA.KERNEL32(00000000,?,00000078,?,?,00000000), ref: 00420967
GetTickCount.KERNEL32 ref: 0042098A
Sleep.KERNEL32(000003E8,?,?,00000000), ref: 004209D1

Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420325
Part of subcall function 004202CD: Sleep.KERNEL32(0000012C), ref: 00420331
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420366
Part of subcall function 004202CD: lstrlenA.KERNEL32(00000000,?,?,?,?,?), ref: 0042038A
Part of subcall function 004202CD: GetTickCount.KERNEL32 ref: 00420393

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CountTick$lstrcat$lstrlen$Sleep$lstrcmpilstrcpyn
String ID:
API String ID: 4241744780-0
Opcode ID: a5797a3337ac284f49606b989114822fa8f6a7677816d38e25a2feba24009512
Instruction ID: e1c63eb699c4a579d3e53cbe12f8c53483fa5a3500a6c19c00d829c2c369af7d
Opcode Fuzzy Hash: a5797a3337ac284f49606b989114822fa8f6a7677816d38e25a2feba24009512
Instruction Fuzzy Hash: D331E371B003289FEF20CF64D805BEB77E4AF04314F50096EE95696293DB789989CB54

Function 0041D048 Relevance: 6.0, APIs: 4, Instructions: 28stringwindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0045B020), ref: 0041D055
lstrlenA.KERNEL32(?), ref: 0041D066
SendMessageA.USER32(0000004A,00000000), ref: 0041D082
LeaveCriticalSection.KERNEL32(0045B020), ref: 0041D092

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageSendlstrlen
String ID:
API String ID: 2615675618-0
Opcode ID: 7c74f56ab4b2f4d99c8cf02e5dac5e513ef1ef44eafc1b19ff3713757b601000
Instruction ID: 04bdf258bc530c0cdee2ac19c1b7621b2973c0a551cbe2d9e9c14f2e41fc7480
Opcode Fuzzy Hash: 7c74f56ab4b2f4d99c8cf02e5dac5e513ef1ef44eafc1b19ff3713757b601000
Instruction Fuzzy Hash: 59F08271900304EBCB119FA4EC08B9E7BB8EB09302F008075ED16E2161D73486559BAE

Function 004218D6 Relevance: 6.0, APIs: 4, Instructions: 20sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004218F5
EnterCriticalSection.KERNEL32(0045A330), ref: 00421905
EnumWindows.USER32(0042108F,00000000), ref: 00421912
Sleep.KERNEL32(0000000F), ref: 0042191A

Memory Dump Source

Source File: 00000004.00000002.208992077365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.208991980162.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992221969.000000000042A000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992308531.000000000042E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992423240.000000000042F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992579086.0000000000448000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992667485.0000000000449000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992771455.000000000044E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000458000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000463000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.208992881645.0000000000465000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_zjisvko.jbxd

Similarity

API ID: Sleep$CriticalEnterEnumSectionWindows
String ID:
API String ID: 2151141519-0
Opcode ID: 73382d69a21fc8b10e3f2b6feb81f70276a3830f2d7b93a82bb811b2617987ba
Instruction ID: d93265669e9007938a92f4f787627f2676029b5fa9748b48d493c5193711b42f
Opcode Fuzzy Hash: 73382d69a21fc8b10e3f2b6feb81f70276a3830f2d7b93a82bb811b2617987ba
Instruction Fuzzy Hash: 5AE01234BC8365B7E5206791BC4BB2626109B1AF16FE04033BE05251F189ED1576DBAF

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HqvlYZC7Gf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\dfwytawqsqtomosmnpgid.gac

C:\Program Files (x86)\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

C:\Users\user\AppData\Local\Temp\bzmkbewmkeduommczxkiz.exe

C:\Users\user\AppData\Local\Temp\dfwytawqsqtomosmnpgid.gac

C:\Users\user\AppData\Local\Temp\fzicpocoiytgwqmyr.exe

C:\Users\user\AppData\Local\Temp\mjvsikbqngeunkjyurda.exe

C:\Users\user\AppData\Local\Temp\ojtoccrezqmarmjwql.exe

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\RCX70EC.tmp

C:\Users\user\AppData\Local\Temp\qfjygajqfqgo\ylnagyfkxg.exe

C:\Users\user\AppData\Local\Temp\srfewatkjeewrqrigftsko.exe

C:\Users\user\AppData\Local\Temp\takyouhoymc.exe

C:\Users\user\AppData\Local\Temp\ylnagyfkxguajwlqcprekcjobkyenapu.tvi

C:\Users\user\AppData\Local\Temp\yrzsecpaticodwrc.exe

C:\Users\user\AppData\Local\Temp\zjisvko.exe

Windows Analysis Report
HqvlYZC7Gf.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre