Edit tour

Windows Analysis Report
PORgjGswYg.exe

Overview

General Information

Sample name:	PORgjGswYg.exe renamed because original name is a hash value
Original sample name:	0d644920cd17c1f0ca100447ce19b7d575fcfa6bf8b8ca7615a0f734e1d777e0.exe
Analysis ID:	1551202
MD5:	e514c5d45cb8abfd9be33c7a7bfb3e22
SHA1:	5f419a610f76703a8c0cce83c0b4b282f2d6e77c
SHA256:	0d644920cd17c1f0ca100447ce19b7d575fcfa6bf8b8ca7615a0f734e1d777e0
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PORgjGswYg.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\PORgjGswYg.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

d939bcdhmynt2wokv.exe (PID: 7784 cmdline: "C:\iduicjypf\d939bcdhmynt2wokv.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

evwoxfz.exe (PID: 7884 cmdline: "C:\iduicjypf\evwoxfz.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

evwoxfz.exe (PID: 7800 cmdline: C:\iduicjypf\evwoxfz.exe MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

pubealmiyel.exe (PID: 7856 cmdline: nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

evwoxfz.exe (PID: 6516 cmdline: "c:\iduicjypf\evwoxfz.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

pubealmiyel.exe (PID: 6940 cmdline: nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

evwoxfz.exe (PID: 6832 cmdline: "c:\iduicjypf\evwoxfz.exe" MD5: E514C5D45CB8ABFD9BE33C7A7BFB3E22)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:53.990026+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.9	49810	TCP
2024-11-07T15:37:31.687867+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.9	49979	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:47.013251+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.9	49769	TCP
2024-11-07T15:36:51.058444+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49789	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:47.013251+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.9	49769	TCP
2024-11-07T15:36:51.058444+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49789	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:47.061993+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	59115	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:41.393460+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	62967	UDP
2024-11-07T15:38:10.962108+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	50837	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:46.932208+0100	2815568	1	A Network Trojan was detected	192.168.2.9	49769	54.244.188.177	80	TCP
2024-11-07T15:38:02.378593+0100	2815568	1	A Network Trojan was detected	192.168.2.9	49980	199.59.243.227	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:36:46.932208+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.9	49769	54.244.188.177	80	TCP
2024-11-07T15:38:02.378593+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.9	49980	199.59.243.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PORgjGswYg.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\iduicjypf\pubealmiyel.exe	Avira: detection malicious, Label: HEUR/AGEN.1316142
Source: C:\iduicjypf\evwoxfz.exe	Avira: detection malicious, Label: HEUR/AGEN.1316142
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Avira: detection malicious, Label: HEUR/AGEN.1316142

Multi AV Scanner detection for dropped file

Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	ReversingLabs: Detection: 92%
Source: C:\iduicjypf\evwoxfz.exe	ReversingLabs: Detection: 92%
Source: C:\iduicjypf\pubealmiyel.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: PORgjGswYg.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\iduicjypf\pubealmiyel.exe	Joe Sandbox ML: detected
Source: C:\iduicjypf\evwoxfz.exe	Joe Sandbox ML: detected
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PORgjGswYg.exe

Joe Sandbox ML: detected

Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AEDFB0 GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		2_2_00AEDFB0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3DFB0 GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		3_2_00D3DFB0

Source: PORgjGswYg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PORgjGswYg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF1650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00FF1650
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD1650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00AD1650
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D21650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00D21650
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C81650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00C81650
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D21650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00D21650
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D1650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_009D1650

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.9:49769 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.9:49980 -> 199.59.243.227:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadernothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net

Source: Joe Sandbox View	IP Address: 85.214.228.140 85.214.228.140
Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.9:59115
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.9:49769 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.9:49769
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.9:49789
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.9:49769
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.9:62967
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.9:49789
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.9:49980 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.9:50837
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.9:49810
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.9:49979

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_01009610 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,closesocket,

0_2_01009610

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net

Source: global traffic	DNS traffic detected: DNS query: leaderstream.net
Source: global traffic	DNS traffic detected: DNS query: heavenstream.net
Source: global traffic	DNS traffic detected: DNS query: leadernothing.net
Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net

Source: evwoxfz.exe, 00000003.00000002.2138333513.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, evwoxfz.exe, 00000009.00000002.3167631272.00000000009D7000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\PORgjGswYg.exe	File created: C:\Windows\iduicjypf\	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	File created: C:\Windows\iduicjypf\mp4dlnai	Jump to behavior

Source: C:\Users\user\Desktop\PORgjGswYg.exe

File deleted: C:\Windows\iduicjypf\mp4dlnai

Jump to behavior

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FEC09C	0_2_00FEC09C
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF6220	0_2_00FF6220
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_01004E51	0_2_01004E51
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_0100E500	0_2_0100E500
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FEC0C0	0_2_00FEC0C0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF3CB0	0_2_00FF3CB0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FFC089	0_2_00FFC089
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_0100F590	0_2_0100F590
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_0100C9D0	0_2_0100C9D0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FFA820	0_2_00FFA820
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_010079E0	0_2_010079E0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF5810	0_2_00FF5810
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FE4809	0_2_00FE4809
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_01009809	0_2_01009809
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF81F0	0_2_00FF81F0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FFEDA0	0_2_00FFEDA0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF0530	0_2_00FF0530
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF8D30	0_2_00FF8D30
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_010080E0	0_2_010080E0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FE82D0	0_2_00FE82D0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF4ED0	0_2_00FF4ED0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_01008338	0_2_01008338
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_0100CF70	0_2_0100CF70
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF5E60	0_2_00FF5E60
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_0100DFB0	0_2_0100DFB0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_01009610	0_2_01009610
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FE13D0	0_2_00FE13D0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FFB7D0	0_2_00FFB7D0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FFFB50	0_2_00FFFB50
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_010006D0	0_2_010006D0
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FEC710	0_2_00FEC710
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FFD310	0_2_00FFD310
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF3700	0_2_00FF3700
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ACC09C	2_2_00ACC09C
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD8D30	2_2_00AD8D30
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD6220	2_2_00AD6220
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE4E51	2_2_00AE4E51
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AEDFB0	2_2_00AEDFB0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AECF70	2_2_00AECF70
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD3CB0	2_2_00AD3CB0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ADC089	2_2_00ADC089
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE80E0	2_2_00AE80E0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ACC0C0	2_2_00ACC0C0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ADA820	2_2_00ADA820
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE9809	2_2_00AE9809
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD5810	2_2_00AD5810
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ADEDA0	2_2_00ADEDA0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AEF590	2_2_00AEF590
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE79E0	2_2_00AE79E0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD81F0	2_2_00AD81F0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AEC9D0	2_2_00AEC9D0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD0530	2_2_00AD0530
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AEE500	2_2_00AEE500
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AC82D0	2_2_00AC82D0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD4ED0	2_2_00AD4ED0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE06D0	2_2_00AE06D0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE9610	2_2_00AE9610
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD5E60	2_2_00AD5E60
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AC47FA	2_2_00AC47FA
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AC13D0	2_2_00AC13D0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ADB7D0	2_2_00ADB7D0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AE8338	2_2_00AE8338
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD3700	2_2_00AD3700
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ACC710	2_2_00ACC710
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ADD310	2_2_00ADD310
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00ADFB50	2_2_00ADFB50
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D1C09C	3_2_00D1C09C
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D2EDA0	3_2_00D2EDA0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D28D30	3_2_00D28D30
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D34E51	3_2_00D34E51
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D25E60	3_2_00D25E60
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D39610	3_2_00D39610
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D26220	3_2_00D26220
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3DFB0	3_2_00D3DFB0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3CF70	3_2_00D3CF70
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D1C0C0	3_2_00D1C0C0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D380E0	3_2_00D380E0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D2C089	3_2_00D2C089
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D23CB0	3_2_00D23CB0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D25810	3_2_00D25810
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D14809	3_2_00D14809
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D39809	3_2_00D39809
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D2A820	3_2_00D2A820
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3C9D0	3_2_00D3C9D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D281F0	3_2_00D281F0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D379E0	3_2_00D379E0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3F590	3_2_00D3F590
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3E500	3_2_00D3E500
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D20530	3_2_00D20530
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D182D0	3_2_00D182D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D24ED0	3_2_00D24ED0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D306D0	3_2_00D306D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D113D0	3_2_00D113D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D2B7D0	3_2_00D2B7D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D2FB50	3_2_00D2FB50
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D1C710	3_2_00D1C710
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D2D310	3_2_00D2D310
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D23700	3_2_00D23700
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D38338	3_2_00D38338
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C7C09C	4_2_00C7C09C
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C86220	4_2_00C86220
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C94E51	4_2_00C94E51
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C85E60	4_2_00C85E60
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C7C0C0	4_2_00C7C0C0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C980E0	4_2_00C980E0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C8C089	4_2_00C8C089
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C99809	4_2_00C99809
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C74800	4_2_00C74800
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C85810	4_2_00C85810
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C8A820	4_2_00C8A820
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C9C9D0	4_2_00C9C9D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C979E0	4_2_00C979E0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C881F0	4_2_00C881F0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C782D0	4_2_00C782D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C713D0	4_2_00C713D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C8FB50	4_2_00C8FB50
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C8D310	4_2_00C8D310
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C98338	4_2_00C98338
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C83CB0	4_2_00C83CB0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C9F590	4_2_00C9F590
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C8EDA0	4_2_00C8EDA0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C9E500	4_2_00C9E500
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C80530	4_2_00C80530
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C88D30	4_2_00C88D30
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C84ED0	4_2_00C84ED0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C906D0	4_2_00C906D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C99610	4_2_00C99610
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C8B7D0	4_2_00C8B7D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C9DFB0	4_2_00C9DFB0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C9CF70	4_2_00C9CF70
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C83700	4_2_00C83700
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C7C710	4_2_00C7C710
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D1C09C	5_2_00D1C09C
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D34E51	5_2_00D34E51
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D26220	5_2_00D26220
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D1C0C0	5_2_00D1C0C0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D380E0	5_2_00D380E0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D2C089	5_2_00D2C089
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D23CB0	5_2_00D23CB0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D25810	5_2_00D25810
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D14809	5_2_00D14809
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D39809	5_2_00D39809
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D2A820	5_2_00D2A820
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D3C9D0	5_2_00D3C9D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D281F0	5_2_00D281F0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D379E0	5_2_00D379E0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D3F590	5_2_00D3F590
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D2EDA0	5_2_00D2EDA0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D3E500	5_2_00D3E500
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D20530	5_2_00D20530
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D28D30	5_2_00D28D30
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D182D0	5_2_00D182D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D24ED0	5_2_00D24ED0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D306D0	5_2_00D306D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D25E60	5_2_00D25E60
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D39610	5_2_00D39610
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D113D0	5_2_00D113D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D2B7D0	5_2_00D2B7D0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D3DFB0	5_2_00D3DFB0
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D2FB50	5_2_00D2FB50
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D3CF70	5_2_00D3CF70
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D1C710	5_2_00D1C710
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D2D310	5_2_00D2D310
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D23700	5_2_00D23700
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D38338	5_2_00D38338
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009CC09C	10_2_009CC09C
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D6220	10_2_009D6220
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E4E51	10_2_009E4E51
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D5E60	10_2_009D5E60
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009DC089	10_2_009DC089
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D3CB0	10_2_009D3CB0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009CC0C0	10_2_009CC0C0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E80E0	10_2_009E80E0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D5810	10_2_009D5810
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E9809	10_2_009E9809
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009DA820	10_2_009DA820
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009EF590	10_2_009EF590
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009DEDA0	10_2_009DEDA0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009EC9D0	10_2_009EC9D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D81F0	10_2_009D81F0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E79E0	10_2_009E79E0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009EE500	10_2_009EE500
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D0530	10_2_009D0530
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D8D30	10_2_009D8D30
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009C82D0	10_2_009C82D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D4ED0	10_2_009D4ED0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E06D0	10_2_009E06D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E9610	10_2_009E9610
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009EDFB0	10_2_009EDFB0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009C13D0	10_2_009C13D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009DB7D0	10_2_009DB7D0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009C47FA	10_2_009C47FA
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009CC710	10_2_009CC710
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009DD310	10_2_009DD310
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D3700	10_2_009D3700
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009E8338	10_2_009E8338
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009DFB50	10_2_009DFB50
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009ECF70	10_2_009ECF70

Source: PORgjGswYg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PORgjGswYg.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: d939bcdhmynt2wokv.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: evwoxfz.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pubealmiyel.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@14/5@335/4

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_0100BB30
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00AEBB30
Source: C:\iduicjypf\evwoxfz.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_00D3BB30
Source: C:\iduicjypf\pubealmiyel.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00C9BB30
Source: C:\iduicjypf\evwoxfz.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	5_2_00D3BB30
Source: C:\iduicjypf\pubealmiyel.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_009EBB30

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_010074D0 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

0_2_010074D0

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_0100BB30 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_0100BB30

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_0100DE80 StartServiceCtrlDispatcherA,	0_2_0100DE80
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AEDE80 StartServiceCtrlDispatcherA,	2_2_00AEDE80
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D3DE80 StartServiceCtrlDispatcherA,	3_2_00D3DE80
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C9DE80 StartServiceCtrlDispatcherA,	4_2_00C9DE80
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D3DE80 StartServiceCtrlDispatcherA,	5_2_00D3DE80
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009EDE80 StartServiceCtrlDispatcherA,	10_2_009EDE80

Source: C:\iduicjypf\evwoxfz.exe

Mutant created: NULL

Source: PORgjGswYg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PORgjGswYg.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\PORgjGswYg.exe

File read: C:\Users\user\Desktop\PORgjGswYg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PORgjGswYg.exe "C:\Users\user\Desktop\PORgjGswYg.exe"
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Process created: C:\iduicjypf\d939bcdhmynt2wokv.exe "C:\iduicjypf\d939bcdhmynt2wokv.exe"
Source: unknown	Process created: C:\iduicjypf\evwoxfz.exe C:\iduicjypf\evwoxfz.exe
Source: C:\iduicjypf\evwoxfz.exe	Process created: C:\iduicjypf\pubealmiyel.exe nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Process created: C:\iduicjypf\evwoxfz.exe "C:\iduicjypf\evwoxfz.exe"
Source: C:\iduicjypf\pubealmiyel.exe	Process created: C:\iduicjypf\evwoxfz.exe "c:\iduicjypf\evwoxfz.exe"
Source: C:\iduicjypf\evwoxfz.exe	Process created: C:\iduicjypf\pubealmiyel.exe nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"
Source: C:\iduicjypf\pubealmiyel.exe	Process created: C:\iduicjypf\evwoxfz.exe "c:\iduicjypf\evwoxfz.exe"
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Process created: C:\iduicjypf\d939bcdhmynt2wokv.exe "C:\iduicjypf\d939bcdhmynt2wokv.exe"	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Process created: C:\iduicjypf\evwoxfz.exe "C:\iduicjypf\evwoxfz.exe"	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Process created: C:\iduicjypf\pubealmiyel.exe nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	Process created: C:\iduicjypf\evwoxfz.exe "c:\iduicjypf\evwoxfz.exe"	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Process created: C:\iduicjypf\pubealmiyel.exe nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	Process created: C:\iduicjypf\evwoxfz.exe "c:\iduicjypf\evwoxfz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: PORgjGswYg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_00FF8D30 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

0_2_00FF8D30

Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C738DE push ebx; retf	4_2_00C738DF
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C738E3 push ebx; retf	4_2_00C738E4
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73859 push cs; retf	4_2_00C7385A
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C74142 push ecx; retf	4_2_00C74143
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73A99 push es; retf	4_2_00C73A9B
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73AA7 push es; retf	4_2_00C73AAD
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C742A1 push esp; retf	4_2_00C742B8
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C74311 push ss; retf	4_2_00C74312
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C744D9 push edi; retf	4_2_00C744E7
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C744EE push edi; retf	4_2_00C744F0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C744BA push esi; retf	4_2_00C744BC
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73C7C push es; retf	4_2_00C73C7D
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73C20 push FFFFFF90h; retf	4_2_00C73C22
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73D0D pushfd ; retf	4_2_00C73D24
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C73D2C pushfd ; retf	4_2_00C73D2D
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C736F7 push es; retf	4_2_00C736F8
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C94E41 push es; retf	4_2_00C94E42
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C94E3B push es; retf	4_2_00C94E3C

Source: PORgjGswYg.exe	Static PE information: section name: .text entropy: 6.895025116083861
Source: d939bcdhmynt2wokv.exe.0.dr	Static PE information: section name: .text entropy: 6.895025116083861
Source: evwoxfz.exe.2.dr	Static PE information: section name: .text entropy: 6.895025116083861
Source: pubealmiyel.exe.3.dr	Static PE information: section name: .text entropy: 6.895025116083861

Source: C:\iduicjypf\evwoxfz.exe	File created: C:\iduicjypf\pubealmiyel.exe	Jump to dropped file
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	File created: C:\iduicjypf\evwoxfz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PORgjGswYg.exe	File created: C:\iduicjypf\d939bcdhmynt2wokv.exe	Jump to dropped file

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_0100BB30 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_0100BB30

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_00FE5ED0
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_00AC5ED0
Source: C:\iduicjypf\evwoxfz.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_00D15ED0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_00C75ED0
Source: C:\iduicjypf\evwoxfz.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	5_2_00D15ED0
Source: C:\iduicjypf\pubealmiyel.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_009C5ED0

Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_00AD8D30
Source: C:\iduicjypf\evwoxfz.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		3_2_00D28D30

Source: C:\iduicjypf\pubealmiyel.exe	Window / User API: threadDelayed 806	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	Window / User API: threadDelayed 1068	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	Window / User API: threadDelayed 775	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe	Window / User API: threadDelayed 1098	Jump to behavior

Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_2-10452
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-10778
Source: C:\iduicjypf\evwoxfz.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_3-11100
Source: C:\iduicjypf\pubealmiyel.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_4-10916

Source: C:\iduicjypf\pubealmiyel.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_4-9773
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_2-9829
Source: C:\Users\user\Desktop\PORgjGswYg.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_0-9772
Source: C:\iduicjypf\evwoxfz.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_3-9827

Source: C:\iduicjypf\evwoxfz.exe TID: 7864	Thread sleep time: -37774s >= -30000s	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 7860	Thread sleep count: 806 > 30	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 7860	Thread sleep time: -806000s >= -30000s	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 7860	Thread sleep count: 1068 > 30	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 7860	Thread sleep time: -1068000s >= -30000s	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe TID: 2220	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe TID: 7624	Thread sleep time: -35552s >= -30000s	Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe TID: 2220	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 6416	Thread sleep count: 775 > 30	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 6416	Thread sleep time: -775000s >= -30000s	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 6416	Thread sleep count: 1098 > 30	Jump to behavior
Source: C:\iduicjypf\pubealmiyel.exe TID: 6416	Thread sleep time: -1098000s >= -30000s	Jump to behavior

Source: C:\iduicjypf\evwoxfz.exe	Last function: Thread delayed
Source: C:\iduicjypf\evwoxfz.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PORgjGswYg.exe	Code function: 0_2_00FF1650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00FF1650
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	Code function: 2_2_00AD1650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00AD1650
Source: C:\iduicjypf\evwoxfz.exe	Code function: 3_2_00D21650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00D21650
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 4_2_00C81650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00C81650
Source: C:\iduicjypf\evwoxfz.exe	Code function: 5_2_00D21650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00D21650
Source: C:\iduicjypf\pubealmiyel.exe	Code function: 10_2_009D1650 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_009D1650

Source: C:\iduicjypf\evwoxfz.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\iduicjypf\evwoxfz.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: d939bcdhmynt2wokv.exe, 00000002.00000002.1381265963.000000000112E000.00000004.00000020.00020000.00000000.sdmp, evwoxfz.exe, 00000003.00000002.2138333513.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, evwoxfz.exe, 00000009.00000002.3167631272.00000000009D7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PORgjGswYg.exe	API call chain: ExitProcess graph end node	graph_0-9318
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	API call chain: ExitProcess graph end node	graph_2-9392
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	API call chain: ExitProcess graph end node	graph_2-9404
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	API call chain: ExitProcess graph end node	graph_2-10930
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	API call chain: ExitProcess graph end node	graph_2-9385
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	API call chain: ExitProcess graph end node	graph_2-9360
Source: C:\iduicjypf\d939bcdhmynt2wokv.exe	API call chain: ExitProcess graph end node	graph_2-9877
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_3-9365
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_3-9382
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_3-11213
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_3-9863
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-9526
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-9481
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-9477
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-9521
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-9509
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-10004
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node	graph_4-11044
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_5-9325
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_5-9347
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_5-9374
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_5-9366
Source: C:\iduicjypf\evwoxfz.exe	API call chain: ExitProcess graph end node	graph_5-10876
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node
Source: C:\iduicjypf\pubealmiyel.exe	API call chain: ExitProcess graph end node

Source: C:\iduicjypf\evwoxfz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_00FF8D30 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

0_2_00FF8D30

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_00FE6C90 GetProcessHeap,RtlFreeHeap,

0_2_00FE6C90

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_01008700 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01008700

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_00FF00A0 GetSystemTimeAsFileTime,__aulldiv,

0_2_00FF00A0

Source: C:\Users\user\Desktop\PORgjGswYg.exe

Code function: 0_2_00FF6220 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

0_2_00FF6220

Source: C:\iduicjypf\d939bcdhmynt2wokv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
PORgjGswYg.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
PORgjGswYg.exe	100%	Avira	HEUR/AGEN.1316142
PORgjGswYg.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\iduicjypf\pubealmiyel.exe	100%	Avira	HEUR/AGEN.1316142
C:\iduicjypf\evwoxfz.exe	100%	Avira	HEUR/AGEN.1316142
C:\iduicjypf\d939bcdhmynt2wokv.exe	100%	Avira	HEUR/AGEN.1316142
C:\iduicjypf\pubealmiyel.exe	100%	Joe Sandbox ML
C:\iduicjypf\evwoxfz.exe	100%	Joe Sandbox ML
C:\iduicjypf\d939bcdhmynt2wokv.exe	100%	Joe Sandbox ML
C:\iduicjypf\d939bcdhmynt2wokv.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\iduicjypf\evwoxfz.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\iduicjypf\pubealmiyel.exe	92%	ReversingLabs	Win32.Spyware.Nivdort

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	unknown
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	true	unknown
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	high
returnbottle.net	18.143.155.63	true	false	high
pleasantinstead.net	18.143.155.63	true	false	unknown
leaderstream.net	unknown	unknown	true	unknown
forwardpeople.net	unknown	unknown	true	unknown
degreeanother.net	unknown	unknown	true	unknown
degreeexplain.net	unknown	unknown	true	unknown
heaveninside.net	unknown	unknown	true	unknown
answerappear.net	unknown	unknown	true	unknown
heavybusiness.net	unknown	unknown	true	unknown
pleasantinside.net	unknown	unknown	true	unknown
requirebusiness.net	unknown	unknown	true	unknown
forwardinside.net	unknown	unknown	true	unknown
glassmanner.net	unknown	unknown	true	unknown
answerexplain.net	unknown	unknown	true	unknown
orderinside.net	unknown	unknown	true	unknown
variousappear.net	unknown	unknown	true	unknown
returnbright.net	unknown	unknown	true	unknown
difficultanother.net	unknown	unknown	true	unknown
heavyinside.net	unknown	unknown	true	unknown
forwardready.net	unknown	unknown	true	unknown
glassdaughter.net	unknown	unknown	true	unknown
necessarymanner.net	unknown	unknown	true	unknown
leadernothing.net	unknown	unknown	true	unknown
answeranother.net	unknown	unknown	true	unknown
leadermanner.net	unknown	unknown	true	unknown
heavybottle.net	unknown	unknown	true	unknown
heavenbright.net	unknown	unknown	true	unknown
heavydivide.net	unknown	unknown	true	unknown
degreebrown.net	unknown	unknown	true	unknown
gentleinstead.net	unknown	unknown	true	unknown
glassanother.net	unknown	unknown	true	unknown
heavenanother.net	unknown	unknown	true	unknown
difficultmanner.net	unknown	unknown	true	unknown
glassexplain.net	unknown	unknown	true	unknown
requireinside.net	unknown	unknown	true	unknown
heavenexplain.net	unknown	unknown	true	unknown
forwardbusiness.net	unknown	unknown	true	unknown
difficultexplain.net	unknown	unknown	true	unknown
gentleappear.net	unknown	unknown	true	unknown
pleasantbright.net	unknown	unknown	true	unknown
returnexplain.net	unknown	unknown	true	unknown
gentlemanner.net	unknown	unknown	true	unknown
answerdaughter.net	unknown	unknown	true	unknown
heardinside.net	unknown	unknown	true	unknown
requiremanner.net	unknown	unknown	true	unknown
gentleexplain.net	unknown	unknown	true	unknown
glassappear.net	unknown	unknown	true	unknown
necessaryanother.net	unknown	unknown	true	unknown
glassinside.net	unknown	unknown	true	unknown
difficultbright.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	true	unknown
requireinstead.net	unknown	unknown	true	unknown
necessaryinside.net	unknown	unknown	true	unknown
returndivide.net	unknown	unknown	true	unknown
heardinstead.net	unknown	unknown	true	unknown
variousbright.net	unknown	unknown	true	unknown
degreebusiness.net	unknown	unknown	true	unknown
answerbusiness.net	unknown	unknown	true	unknown
heavenbusiness.net	unknown	unknown	true	unknown
gentledivide.net	unknown	unknown	true	unknown
variousinstead.net	unknown	unknown	true	unknown
gentlestream.net	unknown	unknown	true	unknown
pleasantmanner.net	unknown	unknown	true	unknown
necessaryappear.net	unknown	unknown	true	unknown
pleasantbusiness.net	unknown	unknown	true	unknown
heardbright.net	unknown	unknown	true	unknown
heavenbottle.net	unknown	unknown	true	unknown
heavynothing.net	unknown	unknown	true	unknown
gentlebusiness.net	unknown	unknown	true	unknown
ordermanner.net	unknown	unknown	true	unknown
leaderbottle.net	unknown	unknown	true	unknown
pleasantanother.net	unknown	unknown	true	unknown
heavyanother.net	unknown	unknown	true	unknown
degreeinstead.net	unknown	unknown	true	unknown
degreepeople.net	unknown	unknown	true	unknown
answerready.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	true	unknown
heavennothing.net	unknown	unknown	true	unknown
returninside.net	unknown	unknown	true	unknown
forwardbright.net	unknown	unknown	true	unknown
difficultinside.net	unknown	unknown	true	unknown
heavybright.net	unknown	unknown	true	unknown
leaderanother.net	unknown	unknown	true	unknown
returninstead.net	unknown	unknown	true	unknown
difficultinstead.net	unknown	unknown	true	unknown
heavenappear.net	unknown	unknown	true	unknown
answerinside.net	unknown	unknown	true	unknown
degreebright.net	unknown	unknown	true	unknown
forwardbrown.net	unknown	unknown	true	unknown
heavyinstead.net	unknown	unknown	true	unknown
gentleinside.net	unknown	unknown	true	unknown
heardexplain.net	unknown	unknown	true	unknown
heavyappear.net	unknown	unknown	true	unknown
answerpeople.net	unknown	unknown	true	unknown
pleasantexplain.net	unknown	unknown	true	unknown
requireexplain.net	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	evwoxfz.exe, 00000003.00000002.2138333513.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, evwoxfz.exe, 00000009.00000002.3167631272.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551202
Start date and time:	2024-11-07 15:35:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PORgjGswYg.exe renamed because original name is a hash value
Original Sample Name:	0d644920cd17c1f0ca100447ce19b7d575fcfa6bf8b8ca7615a0f734e1d777e0.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@14/5@335/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 85 Number of non-executed functions: 108
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: PORgjGswYg.exe

Simulations

Behavior and APIs

Time	Type	Description
09:37:11	API Interceptor	3685x Sleep call for process: pubealmiyel.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.143.155.63	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
85.214.228.140	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	dlynankz.biz/mfjpaqkdwglsvxqo
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	dlynankz.biz/rgkgvuyxljjatio
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	dlynankz.biz/pio
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	dlynankz.biz/og
	SetupRST.exe	Get hash	malicious	Unknown	Browse	dlynankz.biz/u
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	dlynankz.biz/eoefw
	HqvlYZC7Gf.exe	Get hash	malicious	Unknown	Browse	xhjwwgwd.info/
199.59.243.227	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	glassbright.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	variousstream.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	variousstream.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	glassbright.net/index.php
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	www.adsdomain-195.click/xene/
	Wc7HGBGZfE.exe	Get hash	malicious	FormBook	Browse	www.care-for-baby-1107.xyz/ev0s/
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	www.migraine-massages.pro/ym43/
	BkZqIS5vlv.exe	Get hash	malicious	FormBook	Browse	www.deepfy.xyz/jlkn/
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	www.master7.space/0i43/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
gentleanother.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
returnbottle.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
degreedaughter.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
degreedaughter.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
pleasantinstead.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
pleasantinstead.net	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
7450.bodis.com	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
s-part-0017.t-0009.fb-t-msedge.net	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://digitalplatform-admin-p.azurewebsites.net/external-link/?targetURL=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS5d7c8770636a4f3fd2ed2ec05584079425wDnNeW8yycT&sa=t&esrc=nNeW8F5d7c8770636a4f3fd2ed2ec05584079425A0xys8Em2FL&source=&cd=tS6T85d7c8770636a4f3fd2ed2ec05584079425Tiw9XH&cad=XpPkDfJX5d7c8770636a4f3fd2ed2ec05584079425VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fbyda.ng%2Fcig.bin%2Fgoin%2F%23c2VjcmV0YXJpYXRAcGVvLm9uLmNh	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45
	COw7owNqAr.exe	Get hash	malicious	FormBook	Browse	13.107.253.45
	SecuriteInfo.com.Variant.Symmi.42162.17217.532.dll	Get hash	malicious	Numando	Browse	13.107.253.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.253.45
	https://url.us.m.mimecastprotect.com/s/Z23rC737BJUZjykZNH8fJHo-qZq?domain=t.ly	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://wfisz2frdp-fileshare.se-sto-1.linodeobjects.com/preview.htm?folder&factures&2410312_DC%20SYSTEMES%20S0000262_291024.pdf	Get hash	malicious	Unknown	Browse	13.107.253.45
	Martin Summers shared _View Document_ with you.eml	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://mediaadmin.site/local/vendor/phpunit/phpunit/src/Util/arull.php?708879796770%5B%E2%80%A6%5D38375031632b504c41674930416341https://doctahelpyuo.com/oYpPP/	Get hash	malicious	Unknown	Browse	13.107.253.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	ch89yHIa99.exe	Get hash	malicious	Ducktail	Browse	13.35.58.111
	ub7ZX9i3k6.exe	Get hash	malicious	Ducktail	Browse	13.35.58.86
	uupEsxBhAI.exe	Get hash	malicious	Ducktail	Browse	13.35.58.78
	yfM67N9UUL.exe	Get hash	malicious	Ducktail	Browse	13.35.58.67
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	54.112.121.173
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	13.127.145.74
	byte.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	108.153.241.39
STRATOSTRATOAGDE	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	http://googe.de	Get hash	malicious	Unknown	Browse	85.214.62.112
	debug.dbg.elf	Get hash	malicious	Mirai	Browse	85.215.233.6
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	81.169.145.95
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	85.214.228.140
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	85.214.228.140
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	85.214.228.140
	https://hidrive.ionos.com/lnk/FamigcCEF	Get hash	malicious	Unknown	Browse	85.214.3.95
BODIS-NJUS	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Wc7HGBGZfE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	BkZqIS5vlv.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
AMAZON-02US	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	ch89yHIa99.exe	Get hash	malicious	Ducktail	Browse	13.35.58.111
	ub7ZX9i3k6.exe	Get hash	malicious	Ducktail	Browse	13.35.58.86
	uupEsxBhAI.exe	Get hash	malicious	Ducktail	Browse	13.35.58.78
	yfM67N9UUL.exe	Get hash	malicious	Ducktail	Browse	13.35.58.67
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	54.112.121.173
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	13.127.145.74
	byte.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	108.153.241.39

Process:	C:\Users\user\Desktop\PORgjGswYg.exe
File Type:	data
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.459431618637298
Encrypted:	false
SSDEEP:	3:ULqg:U3
MD5:	1C1E85FDA09BEFD1510321F57D156490
SHA1:	3676EB07050EB863253ABDBD2D69507457A01595
SHA-256:	C45CDF8291C0C865C91955DA3C819E7AA6F5F18CC302FC80DAD06241487D0499
SHA-512:	F7DD2C8F8617636A3645C0B3D3CC3AC98FA4350350CEDE8C47421A10E75BB5EC344DD2807322C27D60BEA9D17CB3E58F96263C0EE6DDEBBB85E1CD5585CFB636
Malicious:	false
Reputation:	low
Preview:	..Hk....E

C:\iduicjypf\d939bcdhmynt2wokv.exe

Download File

Process:	C:\Users\user\Desktop\PORgjGswYg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	7.148220390004662
Encrypted:	false
SSDEEP:	6144:xPMeyjhRyF51KtUkfZy3vr+xNAVc6SuqKrY:pMvFRyFmFYS7Eu/Kk
MD5:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
SHA1:	5F419A610F76703A8C0CCE83C0B4B282F2D6E77C
SHA-256:	0D644920CD17C1F0CA100447CE19B7D575FCFA6BF8B8CA7615A0F734E1D777E0
SHA-512:	76048FAD8954A94FAA5A2BF3EB5960051A37D6DB7F9A71D2810702B685C438B659751C5B6AC3C86D45E007CD01AE5BD3BEE7C3D20F0C63CC52D46EDABE9F5D3F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............H..............q6.....q.....Rich............................PE..L...NB.V............................P.............@.......................................@..................................=..P............................ ..tw...................................................................................text............................... ..`.rdata..nF.......H..................@..@.data........P.......:..............@....reloc..tw... ...x...<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\iduicjypf\evwoxfz.exe

Download File

Process:	C:\iduicjypf\d939bcdhmynt2wokv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	7.148220390004662
Encrypted:	false
SSDEEP:	6144:xPMeyjhRyF51KtUkfZy3vr+xNAVc6SuqKrY:pMvFRyFmFYS7Eu/Kk
MD5:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
SHA1:	5F419A610F76703A8C0CCE83C0B4B282F2D6E77C
SHA-256:	0D644920CD17C1F0CA100447CE19B7D575FCFA6BF8B8CA7615A0F734E1D777E0
SHA-512:	76048FAD8954A94FAA5A2BF3EB5960051A37D6DB7F9A71D2810702B685C438B659751C5B6AC3C86D45E007CD01AE5BD3BEE7C3D20F0C63CC52D46EDABE9F5D3F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............H..............q6.....q.....Rich............................PE..L...NB.V............................P.............@.......................................@..................................=..P............................ ..tw...................................................................................text............................... ..`.rdata..nF.......H..................@..@.data........P.......:..............@....reloc..tw... ...x...<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\iduicjypf\mp4dlnai

Download File

Process:	C:\Users\user\Desktop\PORgjGswYg.exe
File Type:	data
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.459431618637298
Encrypted:	false
SSDEEP:	3:ULqg:U3
MD5:	1C1E85FDA09BEFD1510321F57D156490
SHA1:	3676EB07050EB863253ABDBD2D69507457A01595
SHA-256:	C45CDF8291C0C865C91955DA3C819E7AA6F5F18CC302FC80DAD06241487D0499
SHA-512:	F7DD2C8F8617636A3645C0B3D3CC3AC98FA4350350CEDE8C47421A10E75BB5EC344DD2807322C27D60BEA9D17CB3E58F96263C0EE6DDEBBB85E1CD5585CFB636
Malicious:	false
Preview:	..Hk....E

C:\iduicjypf\pubealmiyel.exe

Download File

Process:	C:\iduicjypf\evwoxfz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	7.148220390004662
Encrypted:	false
SSDEEP:	6144:xPMeyjhRyF51KtUkfZy3vr+xNAVc6SuqKrY:pMvFRyFmFYS7Eu/Kk
MD5:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
SHA1:	5F419A610F76703A8C0CCE83C0B4B282F2D6E77C
SHA-256:	0D644920CD17C1F0CA100447CE19B7D575FCFA6BF8B8CA7615A0F734E1D777E0
SHA-512:	76048FAD8954A94FAA5A2BF3EB5960051A37D6DB7F9A71D2810702B685C438B659751C5B6AC3C86D45E007CD01AE5BD3BEE7C3D20F0C63CC52D46EDABE9F5D3F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............H..............q6.....q.....Rich............................PE..L...NB.V............................P.............@.......................................@..................................=..P............................ ..tw...................................................................................text............................... ..`.rdata..nF.......H..................@..@.data........P.......:..............@....reloc..tw... ...x...<..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.148220390004662
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PORgjGswYg.exe
File size:	242'688 bytes
MD5:	e514c5d45cb8abfd9be33c7a7bfb3e22
SHA1:	5f419a610f76703a8c0cce83c0b4b282f2d6e77c
SHA256:	0d644920cd17c1f0ca100447ce19b7d575fcfa6bf8b8ca7615a0f734e1d777e0
SHA512:	76048fad8954a94faa5a2bf3eb5960051a37d6db7f9a71d2810702b685c438b659751c5b6ac3c86d45e007cd01ae5bd3bee7c3d20f0c63cc52d46edabe9f5d3f
SSDEEP:	6144:xPMeyjhRyF51KtUkfZy3vr+xNAVc6SuqKrY:pMvFRyFmFYS7Eu/Kk
TLSH:	8C34AE22EA040933DC92A6FC87687FB5DDAF62A5632C16DB43C625D458703DDE63234B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..............H................q6......q......Rich............................PE..L...NB.V............................P......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42b350
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x568D424E [Wed Jan 6 16:35:26 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	b9c47f5245de4766f4f075f6a7077f4c

Entrypoint Preview

Instruction
imul eax, dword ptr [00445858h], E920B1ADh
or eax, 9D7556BFh
and dword ptr [00446928h], eax
inc dword ptr [00445858h]
call 00007F8E38DAFB15h
mov ecx, dword ptr [0043E030h]
imul ecx, dword ptr [0043CE78h]
mov eax, dword ptr [0043DD34h]
dec dword ptr [0043E030h]
sub eax, 60FF29F8h
dec dword ptr [0043DD34h]
add ecx, 29FF9C13h
cmp eax, ecx
jnle 00007F8E38DB353Ch
mov dword ptr [004419FCh], 070A0054h
push esi
call 00007F8E38D97828h
movsx eax, word ptr [0044C8AAh]
push 004301A0h
mov dword ptr [00446B78h], eax
inc word ptr [0044C8AAh]
push 00430198h
call 00007F8E38D97A46h
movzx eax, word ptr [0044E8E0h]
add esp, 08h
and eax, 51008A20h
mov word ptr [0044E8E0h], ax
call 00007F8E38D911CCh
add dword ptr [0043E5C4h], 092B443Eh
mov esi, eax
call 00007F8E38DB5EEBh
imul ecx, dword ptr [00436B50h], 11518C09h
push esi
and ecx, 253641B1h
sub dword ptr [0043D3FCh], ecx
call dword ptr [00451C8Ch]

Rich Headers

Programming Language:

[C++] VS2013 UPD4 build 31101
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33dc4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0x7774	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x198	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ec82	0x2ee00	d270bb85f2409ee68a4975c686bbe3c4	False	0.732734375	data	6.895025116083861	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x30000	0x466e	0x4800	ce934624c28723647f75c9f904f78edb	False	0.8486870659722222	data	7.187590275432955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x1ccd0	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x52000	0x7774	0x7800	d4a18cecdbf82b4071a1fc1b287bbd83	False	0.7721354166666666	data	6.831945942098567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	GetBkColor, GetDCBrushColor, GetDCPenColor, GetClipRgn, GetMetaRgn, GetCurrentObject, GetMapMode, GetNearestColor, GetNearestPaletteIndex, GetObjectType, GetPixelFormat, GetPolyFillMode, GetRandomRgn, GetStretchBltMode, GetSystemPaletteUse, GetTextCharacterExtra, GetTextColor, GetTextCharset, GetTextCharsetInfo, GetFontLanguageInfo, GetFontUnicodeRanges, SetPixel, SetSystemPaletteUse, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetTextJustification, UpdateColors
USER32.dll	SetWindowTextA, GetWindowContextHelpId, GetMenuContextHelpId, GetCursor, GetWindowLongA, LoadIconA, RemovePropA, GetPropA, GetScrollPos, EndPaint, BeginPaint, GetWindowDC, GetDC, WindowFromDC, GetForegroundWindow, DrawTextA, GetMenuItemCount, GetMenuItemID, GetMenuState, GetMenu, IsWindowEnabled, EnableWindow, IsWindowUnicode, GetQueueStatus, GetInputState, GetKeyboardType, SetFocus, GetDialogBaseUnits, CheckDlgButton, SetDlgItemTextA, GetDlgItemInt, GetDlgItem, EndDialog, MoveWindow, ShowWindow, CallWindowProcA, PostMessageA, SendMessageA, GetMenuCheckMarkDimensions
KERNEL32.dll	MoveFileA, FindResourceA, LocalFlags, GlobalHandle, GlobalFlags, GlobalSize, GlobalAlloc, SizeofResource, LockResource, LoadResource, GetProcAddress, GetModuleHandleA, GetTickCount, GetVersion, IsProcessorFeaturePresent, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceCounter, GetLastError, IsDebuggerPresent, WriteFile, SetFilePointer, GetFileType, GetFileTime, GetDriveTypeA, FlushFileBuffers, FindClose, DeleteFileA, GetStdHandle

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T15:36:41.393460+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.9	62967	UDP
2024-11-07T15:36:46.932208+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.9	49769	54.244.188.177	80	TCP
2024-11-07T15:36:46.932208+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.9	49769	54.244.188.177	80	TCP
2024-11-07T15:36:47.013251+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.9	49769	TCP
2024-11-07T15:36:47.013251+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.9	49769	TCP
2024-11-07T15:36:47.061993+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.9	59115	UDP
2024-11-07T15:36:51.058444+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.9	49789	TCP
2024-11-07T15:36:51.058444+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.9	49789	TCP
2024-11-07T15:36:53.990026+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.9	49810	TCP
2024-11-07T15:37:31.687867+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.9	49979	TCP
2024-11-07T15:38:02.378593+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.9	49980	199.59.243.227	80	TCP
2024-11-07T15:38:02.378593+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.9	49980	199.59.243.227	80	TCP
2024-11-07T15:38:10.962108+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.9	50837	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:36:41.818797112 CET	49747	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:41.824378014 CET	80	49747	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:41.824454069 CET	49747	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:41.824665070 CET	49747	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:41.829957962 CET	80	49747	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:42.482978106 CET	80	49747	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:42.483071089 CET	80	49747	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:42.483119965 CET	49747	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:42.514851093 CET	80	49747	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:42.514914036 CET	49747	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:42.514976025 CET	49747	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:42.520041943 CET	80	49747	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:42.778458118 CET	49753	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:42.783433914 CET	80	49753	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:42.783509016 CET	49753	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:42.783696890 CET	49753	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:42.791198015 CET	80	49753	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:44.257329941 CET	80	49753	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:44.307284117 CET	49753	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:44.675802946 CET	80	49753	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:44.675863981 CET	49753	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:44.675981998 CET	49753	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:44.681114912 CET	80	49753	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:46.016515970 CET	49769	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:36:46.021954060 CET	80	49769	54.244.188.177	192.168.2.9
Nov 7, 2024 15:36:46.022037029 CET	49769	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:36:46.022080898 CET	49769	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:36:46.027015924 CET	80	49769	54.244.188.177	192.168.2.9
Nov 7, 2024 15:36:46.891947031 CET	80	49769	54.244.188.177	192.168.2.9
Nov 7, 2024 15:36:46.932208061 CET	49769	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:36:47.013251066 CET	80	49769	54.244.188.177	192.168.2.9
Nov 7, 2024 15:36:47.013345957 CET	49769	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:36:47.016940117 CET	49769	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:36:47.022053003 CET	80	49769	54.244.188.177	192.168.2.9
Nov 7, 2024 15:36:48.175879955 CET	49782	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:48.180816889 CET	80	49782	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:48.180915117 CET	49782	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:48.180963993 CET	49782	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:48.186167955 CET	80	49782	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:48.807310104 CET	80	49782	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:48.807823896 CET	80	49782	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:48.807898998 CET	80	49782	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:48.807976007 CET	49782	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:48.808016062 CET	49782	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:36:48.813391924 CET	80	49782	199.59.243.227	192.168.2.9
Nov 7, 2024 15:36:49.183835983 CET	49789	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:49.188628912 CET	80	49789	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:49.188726902 CET	49789	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:49.188824892 CET	49789	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:49.193661928 CET	80	49789	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:50.642986059 CET	80	49789	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:50.697869062 CET	49789	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:51.058444023 CET	80	49789	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:51.058643103 CET	49789	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:51.058689117 CET	49789	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:36:51.063640118 CET	80	49789	18.143.155.63	192.168.2.9
Nov 7, 2024 15:36:52.415884018 CET	49807	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:36:52.421591997 CET	80	49807	85.214.228.140	192.168.2.9
Nov 7, 2024 15:36:52.421659946 CET	49807	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:36:52.421741009 CET	49807	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:36:52.426594019 CET	80	49807	85.214.228.140	192.168.2.9
Nov 7, 2024 15:36:53.326940060 CET	80	49807	85.214.228.140	192.168.2.9
Nov 7, 2024 15:36:53.327073097 CET	49807	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:36:53.339179039 CET	80	49807	85.214.228.140	192.168.2.9
Nov 7, 2024 15:36:53.339235067 CET	49807	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:38:01.745126009 CET	49980	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:01.750051975 CET	80	49980	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:01.750152111 CET	49980	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:01.750246048 CET	49980	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:01.755814075 CET	80	49980	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:02.378360033 CET	80	49980	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:02.378474951 CET	80	49980	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:02.378592968 CET	49980	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:02.380279064 CET	80	49980	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:02.383070946 CET	49980	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:02.493489981 CET	49980	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:02.498481989 CET	80	49980	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:02.580869913 CET	49981	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:02.585956097 CET	80	49981	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:02.587115049 CET	49981	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:02.588852882 CET	49981	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:02.593693972 CET	80	49981	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:04.024375916 CET	80	49981	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:04.072876930 CET	49981	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:04.447232962 CET	80	49981	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:04.447300911 CET	49981	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:04.447335958 CET	49981	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:04.452145100 CET	80	49981	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:06.344548941 CET	63792	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:38:06.349446058 CET	80	63792	54.244.188.177	192.168.2.9
Nov 7, 2024 15:38:06.349529982 CET	63792	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:38:06.349591017 CET	63792	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:38:06.354511023 CET	80	63792	54.244.188.177	192.168.2.9
Nov 7, 2024 15:38:07.177685976 CET	80	63792	54.244.188.177	192.168.2.9
Nov 7, 2024 15:38:07.229315042 CET	63792	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:38:07.299773932 CET	80	63792	54.244.188.177	192.168.2.9
Nov 7, 2024 15:38:07.299870014 CET	63792	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:38:07.299921989 CET	63792	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:38:07.305593014 CET	80	63792	54.244.188.177	192.168.2.9
Nov 7, 2024 15:38:07.789573908 CET	63793	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:07.795929909 CET	80	63793	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:07.796025991 CET	63793	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:07.796103001 CET	63793	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:07.802241087 CET	80	63793	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:08.455400944 CET	80	63793	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:08.455430031 CET	80	63793	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:08.455483913 CET	63793	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:08.456012964 CET	80	63793	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:08.456062078 CET	63793	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:08.456108093 CET	63793	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:38:08.460891008 CET	80	63793	199.59.243.227	192.168.2.9
Nov 7, 2024 15:38:08.639470100 CET	63794	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:08.644762039 CET	80	63794	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:08.644835949 CET	63794	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:08.644896030 CET	63794	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:08.649658918 CET	80	63794	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:10.079900980 CET	80	63794	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:10.135416031 CET	63794	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:10.498878002 CET	80	63794	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:10.498964071 CET	63794	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:10.499016047 CET	63794	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:38:10.504213095 CET	80	63794	18.143.155.63	192.168.2.9
Nov 7, 2024 15:38:11.767894983 CET	63795	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:38:11.773139000 CET	80	63795	85.214.228.140	192.168.2.9
Nov 7, 2024 15:38:11.775141954 CET	63795	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:38:11.779052019 CET	63795	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:38:11.783921957 CET	80	63795	85.214.228.140	192.168.2.9
Nov 7, 2024 15:38:12.644689083 CET	80	63795	85.214.228.140	192.168.2.9
Nov 7, 2024 15:38:12.644956112 CET	63795	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:38:12.650311947 CET	80	63795	85.214.228.140	192.168.2.9
Nov 7, 2024 15:38:12.650399923 CET	63795	80	192.168.2.9	85.214.228.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:36:41.050302982 CET	52462	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.111907959 CET	53	52462	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.113714933 CET	56145	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.145225048 CET	53	56145	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.146069050 CET	54914	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.177762985 CET	53	54914	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.178550005 CET	60099	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.188525915 CET	53	60099	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.189086914 CET	64348	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.199429035 CET	53	64348	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.199981928 CET	63681	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.207257986 CET	53	63681	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.209950924 CET	62615	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.217824936 CET	53	62615	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.218425035 CET	58794	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.229033947 CET	53	58794	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.229798079 CET	64216	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.260451078 CET	53	64216	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.294986963 CET	49815	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.304614067 CET	53	49815	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.305576086 CET	63117	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.315557003 CET	53	63117	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.316170931 CET	65033	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.325692892 CET	53	65033	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.326277971 CET	57931	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.357922077 CET	53	57931	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.358571053 CET	59589	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.368921041 CET	53	59589	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.370354891 CET	50816	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.380630970 CET	53	50816	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.382960081 CET	62967	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.393460035 CET	53	62967	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:41.394149065 CET	53302	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:41.788630962 CET	53	53302	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:42.515652895 CET	53679	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:42.525423050 CET	53	53679	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:42.526212931 CET	49411	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:42.537184000 CET	53	49411	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:42.537807941 CET	54034	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:42.572504044 CET	53	54034	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:42.573466063 CET	50746	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:42.581011057 CET	53	50746	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:42.581651926 CET	53961	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:42.777832985 CET	53	53961	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.676578999 CET	62720	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.706975937 CET	53	62720	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.707760096 CET	55185	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.718275070 CET	53	55185	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.719074011 CET	56930	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.750669003 CET	53	56930	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.751648903 CET	65337	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.761961937 CET	53	65337	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.762927055 CET	57591	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.773670912 CET	53	57591	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.774493933 CET	51238	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.783243895 CET	53	51238	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.783885002 CET	64056	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.794020891 CET	53	64056	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.794682980 CET	63746	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.805041075 CET	53	63746	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.805752039 CET	52272	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.816159964 CET	53	52272	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.816792011 CET	52906	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.827109098 CET	53	52906	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.827713966 CET	53296	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.839308977 CET	53	53296	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.839998007 CET	61659	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.849375963 CET	53	61659	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.850414038 CET	62024	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.861718893 CET	53	62024	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.870445967 CET	56884	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.880482912 CET	53	56884	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.881329060 CET	53301	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.912039995 CET	53	53301	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.912918091 CET	62348	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.923182964 CET	53	62348	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.924460888 CET	55807	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.934474945 CET	53	55807	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.935142994 CET	49577	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:44.944849968 CET	53	49577	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:44.945460081 CET	58269	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.116229057 CET	53	58269	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.117275953 CET	50305	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.150058031 CET	53	50305	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.150999069 CET	59467	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.183279991 CET	53	59467	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.184061050 CET	49989	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.195185900 CET	53	49989	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.211770058 CET	55627	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.222891092 CET	53	55627	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.223660946 CET	63388	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.254772902 CET	53	63388	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.255625963 CET	59788	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.265538931 CET	53	59788	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.266268015 CET	59250	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.298223972 CET	53	59250	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.299246073 CET	64947	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.315295935 CET	53	64947	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.316246033 CET	56726	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.327004910 CET	53	56726	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.328000069 CET	57058	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.359874964 CET	53	57058	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.360821009 CET	51218	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.374948025 CET	53	51218	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.375619888 CET	54556	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.407706976 CET	53	54556	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.408478975 CET	64887	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.439616919 CET	53	64887	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.440332890 CET	51321	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.451114893 CET	53	51321	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.451772928 CET	58295	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.484122992 CET	53	58295	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.484956026 CET	60075	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.495126963 CET	53	60075	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.495737076 CET	65513	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.506206036 CET	53	65513	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.506923914 CET	50872	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.517035007 CET	53	50872	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.517699957 CET	49725	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.549072027 CET	53	49725	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.556449890 CET	64122	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.566492081 CET	53	64122	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.567568064 CET	51498	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.576580048 CET	53	51498	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.577343941 CET	50063	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.587358952 CET	53	50063	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.587977886 CET	50233	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.597523928 CET	53	50233	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.598237038 CET	61841	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.607342958 CET	53	61841	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.607918024 CET	61498	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.617626905 CET	53	61498	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.618236065 CET	56976	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.651417971 CET	53	56976	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.652226925 CET	55315	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.683784008 CET	53	55315	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.684583902 CET	64121	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.694428921 CET	53	64121	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.695198059 CET	54545	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.726552010 CET	53	54545	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.727263927 CET	64512	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.737709999 CET	53	64512	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.738333941 CET	54905	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.749027014 CET	53	54905	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.749670982 CET	50983	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.780922890 CET	53	50983	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.781754017 CET	63661	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.812597036 CET	53	63661	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.813451052 CET	54688	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:45.823563099 CET	53	54688	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:45.824341059 CET	51366	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:46.015868902 CET	53	51366	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.017627001 CET	57895	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.051615000 CET	53	57895	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.052763939 CET	59115	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.061992884 CET	53	59115	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.072285891 CET	65063	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.233160019 CET	53	65063	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.292077065 CET	50831	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.324249029 CET	53	50831	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.333009005 CET	62105	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.342902899 CET	53	62105	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.345480919 CET	49492	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.356717110 CET	53	49492	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.360543966 CET	59625	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.370729923 CET	53	59625	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.374072075 CET	55788	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.384047985 CET	53	55788	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.388386011 CET	56987	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.397938013 CET	53	56987	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.400921106 CET	49833	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.411195993 CET	53	49833	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.412272930 CET	50250	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.443680048 CET	53	50250	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.444581985 CET	60912	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.454735994 CET	53	60912	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.455421925 CET	60070	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.486695051 CET	53	60070	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.487643957 CET	54785	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.517868996 CET	53	54785	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.519076109 CET	59108	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.550509930 CET	53	59108	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.551376104 CET	60706	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.561275005 CET	53	60706	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.562151909 CET	49533	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.594464064 CET	53	49533	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.595709085 CET	58162	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.627815008 CET	53	58162	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.628678083 CET	54144	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.639123917 CET	53	54144	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.639870882 CET	58165	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.670681953 CET	53	58165	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.671439886 CET	61682	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.702897072 CET	53	61682	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.703834057 CET	51580	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.714945078 CET	53	51580	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.715764999 CET	56941	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.746973038 CET	53	56941	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.747875929 CET	51241	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.758708954 CET	53	51241	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.759361982 CET	63229	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:47.792493105 CET	53	63229	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:47.793765068 CET	57765	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.175153971 CET	53	57765	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.808562040 CET	49549	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.840154886 CET	53	49549	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.843760014 CET	56174	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.855289936 CET	53	56174	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.859777927 CET	54123	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.871088028 CET	53	54123	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.875865936 CET	60341	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.885462046 CET	53	60341	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.887687922 CET	49204	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.896287918 CET	53	49204	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.899856091 CET	63184	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.909605026 CET	53	63184	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.911968946 CET	51618	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.922087908 CET	53	51618	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.922858000 CET	61026	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.932671070 CET	53	61026	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.933564901 CET	60745	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.964040995 CET	53	60745	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.967917919 CET	65331	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:48.978276968 CET	53	65331	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:48.980249882 CET	61385	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:49.183183908 CET	53	61385	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.059359074 CET	58564	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.069937944 CET	53	58564	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.070606947 CET	62136	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.102983952 CET	53	62136	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.104135990 CET	51571	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.113197088 CET	53	51571	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.115626097 CET	60669	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.146121025 CET	53	60669	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.147067070 CET	55374	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.178510904 CET	53	55374	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.179224014 CET	55786	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.189460993 CET	53	55786	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.190165043 CET	63011	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.221637964 CET	53	63011	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.222204924 CET	58590	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.232311010 CET	53	58590	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.233115911 CET	54301	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.244137049 CET	53	54301	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.244751930 CET	56086	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.255127907 CET	53	56086	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.255752087 CET	65380	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.265244961 CET	53	65380	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.265850067 CET	57726	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.277667999 CET	53	57726	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.278141975 CET	54718	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.288007021 CET	53	54718	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.288541079 CET	49909	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.297745943 CET	53	49909	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.298264980 CET	52367	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.308209896 CET	53	52367	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.309112072 CET	58309	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.319504023 CET	53	58309	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.320065975 CET	54382	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.330214977 CET	53	54382	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.330861092 CET	63706	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.341267109 CET	53	63706	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.341831923 CET	49630	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.352261066 CET	53	49630	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.352878094 CET	60075	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.362915039 CET	53	60075	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.363785982 CET	65456	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.373195887 CET	53	65456	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.374078989 CET	54623	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.533394098 CET	53	54623	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.534204960 CET	64572	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.544598103 CET	53	64572	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.545602083 CET	64397	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.556175947 CET	53	64397	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.558458090 CET	62343	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.567590952 CET	53	62343	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.568411112 CET	58967	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.578109026 CET	53	58967	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.579267025 CET	63789	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.588618994 CET	53	63789	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.589824915 CET	50112	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.599906921 CET	53	50112	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.600615025 CET	62303	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.610681057 CET	53	62303	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.611511946 CET	50549	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.622925997 CET	53	50549	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.624106884 CET	49444	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.787349939 CET	53	49444	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.849509954 CET	57684	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:51.881700993 CET	53	57684	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:51.969439030 CET	64586	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.001473904 CET	53	64586	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.046266079 CET	53832	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.055713892 CET	53	53832	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.107223034 CET	57010	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.117743969 CET	53	57010	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.124056101 CET	63927	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.155544043 CET	53	63927	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.207256079 CET	55860	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.238694906 CET	53	55860	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.256023884 CET	51289	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.265528917 CET	53	51289	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.266679049 CET	65500	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.277210951 CET	53	65500	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.277908087 CET	64193	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.286815882 CET	53	64193	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.287667036 CET	59548	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.296794891 CET	53	59548	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.297483921 CET	63561	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.307910919 CET	53	63561	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.308903933 CET	53358	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.339756966 CET	53	53358	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.340544939 CET	62146	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.351840019 CET	53	62146	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.352407932 CET	57302	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.362927914 CET	53	57302	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:52.363579988 CET	61786	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:52.411211967 CET	53	61786	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.327754021 CET	57825	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.364907980 CET	53	57825	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.365700006 CET	64728	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.378197908 CET	53	64728	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.379012108 CET	60712	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.391110897 CET	53	60712	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.391803980 CET	51520	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.403758049 CET	53	51520	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.404449940 CET	49929	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.416626930 CET	53	49929	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.418750048 CET	50156	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.432708979 CET	53	50156	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.433476925 CET	52694	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.445683002 CET	53	52694	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.446676970 CET	64215	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.459511995 CET	53	64215	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.463345051 CET	58244	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.474066973 CET	53	58244	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.477776051 CET	58025	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.510129929 CET	53	58025	1.1.1.1	192.168.2.9
Nov 7, 2024 15:36:53.511151075 CET	53817	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:36:53.523245096 CET	53	53817	1.1.1.1	192.168.2.9
Nov 7, 2024 15:37:06.214005947 CET	49706	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:37:06.223705053 CET	53	49706	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:00.705576897 CET	56699	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.432732105 CET	53	56699	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.434281111 CET	65264	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.449049950 CET	53	65264	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.449757099 CET	50553	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.480163097 CET	53	50553	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.480940104 CET	63980	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.491534948 CET	53	63980	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.492161989 CET	56058	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.522877932 CET	53	56058	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.523597002 CET	49790	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.554927111 CET	53	49790	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.555818081 CET	63571	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.565845966 CET	53	63571	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.566469908 CET	57539	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.577357054 CET	53	57539	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.579246998 CET	55198	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.589478016 CET	53	55198	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.590675116 CET	63770	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.622051001 CET	53	63770	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.627125025 CET	54451	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.639750957 CET	53	54451	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.640749931 CET	51585	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.650511980 CET	53	51585	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.652466059 CET	52495	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.662019968 CET	53	52495	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.664535046 CET	55126	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.696595907 CET	53	55126	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.699783087 CET	54381	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.710567951 CET	53	54381	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:01.711258888 CET	63964	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:01.742269993 CET	53	63964	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:02.494620085 CET	61334	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:02.504389048 CET	53	61334	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:02.505470991 CET	61278	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:02.515393972 CET	53	61278	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:02.523715973 CET	56591	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:02.556268930 CET	53	56591	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:02.564419985 CET	64996	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:02.574297905 CET	53	64996	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.447999001 CET	56884	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.458347082 CET	53	56884	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.459145069 CET	60249	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.469228029 CET	53	60249	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.469917059 CET	50986	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.480494976 CET	53	50986	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.481355906 CET	62985	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.513540983 CET	53	62985	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.514487982 CET	64615	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.525290966 CET	53	64615	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.525979996 CET	62827	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.560516119 CET	53	62827	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.561388016 CET	53587	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.571487904 CET	53	53587	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.572221994 CET	58694	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.582988024 CET	53	58694	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.583705902 CET	62261	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.594140053 CET	53	62261	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.594896078 CET	61634	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.605259895 CET	53	61634	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.605921984 CET	52329	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.615406990 CET	53	52329	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.616014004 CET	53258	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.646536112 CET	53	53258	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.647259951 CET	57021	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.678975105 CET	53	57021	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.679900885 CET	61947	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.690696955 CET	53	61947	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.691441059 CET	61806	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.722465038 CET	53	61806	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.723258972 CET	51153	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.733623028 CET	53	51153	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.734639883 CET	56819	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.745835066 CET	53	56819	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.746566057 CET	54435	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.781147957 CET	53	54435	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.782071114 CET	64598	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.792872906 CET	53	64598	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.793514013 CET	63406	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.825900078 CET	53	63406	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.826812983 CET	64352	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.858939886 CET	53	64352	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.859863043 CET	58146	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.871344090 CET	53	58146	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.872095108 CET	60340	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.883877039 CET	53	60340	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.884603977 CET	60591	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.895503998 CET	53	60591	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.896188974 CET	63214	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.907083035 CET	53	63214	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.907762051 CET	57825	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.921077013 CET	53	57825	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.921868086 CET	64307	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.933444023 CET	53	64307	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.934529066 CET	50125	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:04.967891932 CET	53	50125	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:04.968933105 CET	51355	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.001133919 CET	53	51355	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.002526999 CET	58439	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.013895988 CET	53	58439	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.014982939 CET	63379	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.026895046 CET	53	63379	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.028012991 CET	64057	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.037261009 CET	53	64057	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.037992954 CET	52258	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.072228909 CET	53	52258	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.073146105 CET	53559	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.107861996 CET	53	53559	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.131933928 CET	55620	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.144309998 CET	53	55620	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.145687103 CET	56010	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.156295061 CET	53	56010	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.194144011 CET	65053	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.225006104 CET	53	65053	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.231611967 CET	50982	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.242798090 CET	53	50982	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.243499041 CET	61240	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.253448963 CET	53	61240	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.258845091 CET	56857	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.289071083 CET	53	56857	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.312292099 CET	58776	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.344784975 CET	53	58776	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.362745047 CET	59486	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.394434929 CET	53	59486	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.416191101 CET	55700	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.446806908 CET	53	55700	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.467833042 CET	54895	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.478264093 CET	53	54895	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.481424093 CET	50738	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.517384052 CET	53	50738	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.518603086 CET	50196	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.529195070 CET	53	50196	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.531332970 CET	64504	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.540546894 CET	53	64504	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.586497068 CET	57598	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.605618000 CET	53	57598	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.606601954 CET	60073	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.633152962 CET	53	60073	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.633968115 CET	51466	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.645726919 CET	53	51466	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.646538973 CET	53505	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.656874895 CET	53	53505	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:05.657613039 CET	56328	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:05.664997101 CET	53	56328	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:06.312278986 CET	51632	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:06.343605042 CET	53	51632	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.300549030 CET	54800	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.311254978 CET	53	54800	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.312066078 CET	49711	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.324434996 CET	53	49711	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.325910091 CET	62873	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.336504936 CET	53	62873	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.337703943 CET	53155	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.348666906 CET	53	53155	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.349519968 CET	64775	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.359586954 CET	53	64775	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.361692905 CET	55806	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.373624086 CET	53	55806	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.374377966 CET	59026	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.384836912 CET	53	59026	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.385550976 CET	56872	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.396369934 CET	53	56872	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.397151947 CET	62429	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.407377958 CET	53	62429	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.407959938 CET	63462	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.423894882 CET	53	63462	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.424644947 CET	52282	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.434694052 CET	53	52282	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.435441971 CET	63297	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.468769073 CET	53	63297	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.469670057 CET	63633	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.490694046 CET	53	63633	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.491621017 CET	55489	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.502863884 CET	53	55489	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.507894039 CET	62086	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.517951965 CET	53	62086	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.520184040 CET	53576	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.689591885 CET	53	53576	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.690572977 CET	55690	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.702162981 CET	53	55690	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.702745914 CET	65221	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.712467909 CET	53	65221	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.713032961 CET	63598	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.722544909 CET	53	63598	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.723011017 CET	64196	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.732669115 CET	53	64196	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.733150959 CET	59851	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.742307901 CET	53	59851	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.742877007 CET	50805	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.753990889 CET	53	50805	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.754760027 CET	58805	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.764252901 CET	53	58805	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.764802933 CET	53574	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.776774883 CET	53	53574	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:07.777291059 CET	52631	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:07.788712025 CET	53	52631	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.456933975 CET	61167	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.488342047 CET	53	61167	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.489557981 CET	49290	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.500252962 CET	53	49290	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.501261950 CET	59019	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.512100935 CET	53	59019	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.512903929 CET	62987	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.545036077 CET	53	62987	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.550962925 CET	62250	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.561583996 CET	53	62250	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.562419891 CET	51884	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.573133945 CET	53	51884	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.573869944 CET	49377	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.583730936 CET	53	49377	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.584475994 CET	51288	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.615607023 CET	53	51288	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.616604090 CET	62370	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.627393961 CET	53	62370	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:08.628298044 CET	58213	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:08.638802052 CET	53	58213	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.499733925 CET	53027	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.672561884 CET	53	53027	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.673497915 CET	60882	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.686836004 CET	53	60882	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.687664986 CET	49184	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.698169947 CET	53	49184	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.699076891 CET	62056	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.710377932 CET	53	62056	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.711070061 CET	63989	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.720669031 CET	53	63989	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.721386909 CET	64142	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.732326031 CET	53	64142	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.733007908 CET	50184	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.765047073 CET	53	50184	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.765816927 CET	61899	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.776478052 CET	53	61899	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.777429104 CET	49404	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.788181067 CET	53	49404	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.789052963 CET	54314	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.799160957 CET	53	54314	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.800043106 CET	51514	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.810364962 CET	53	51514	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.811073065 CET	51601	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.821604967 CET	53	51601	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.822252989 CET	54121	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.832634926 CET	53	54121	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.833317995 CET	58660	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.843082905 CET	53	58660	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.843699932 CET	53995	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.875849962 CET	53	53995	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.876708984 CET	55884	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.887226105 CET	53	55884	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.888058901 CET	49193	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.898766041 CET	53	49193	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.899601936 CET	64054	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.910420895 CET	53	64054	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.911302090 CET	57215	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.922327042 CET	53	57215	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.923322916 CET	52336	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.938925028 CET	53	52336	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.941585064 CET	65167	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.950731039 CET	53	65167	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.951515913 CET	50837	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.962107897 CET	53	50837	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.962820053 CET	52309	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.973789930 CET	53	52309	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.974587917 CET	51010	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.985744953 CET	53	51010	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.986459017 CET	58709	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:10.996197939 CET	53	58709	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:10.996877909 CET	61992	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.006370068 CET	53	61992	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.007050991 CET	64586	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.037195921 CET	53	64586	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.038011074 CET	62347	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.047250986 CET	53	62347	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.047962904 CET	61069	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.057559013 CET	53	61069	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.058316946 CET	52374	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.067289114 CET	53	52374	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.068182945 CET	52917	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.098397017 CET	53	52917	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.099337101 CET	58170	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.131788015 CET	53	58170	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.132664919 CET	49442	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.143851042 CET	53	49442	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.144793987 CET	51493	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.155627012 CET	53	51493	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.156441927 CET	61100	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.312732935 CET	53	61100	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.313602924 CET	55418	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.323893070 CET	53	55418	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.324788094 CET	57467	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.334952116 CET	53	57467	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.335685968 CET	52277	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.490267992 CET	53	52277	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.491254091 CET	62192	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.657113075 CET	53	62192	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.658339977 CET	60160	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.668025017 CET	53	60160	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.669090033 CET	59699	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.679255962 CET	53	59699	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.680232048 CET	49477	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.689918995 CET	53	49477	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.691948891 CET	54255	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.722966909 CET	53	54255	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.724044085 CET	49322	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.734047890 CET	53	49322	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:11.734709978 CET	53826	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:11.766438961 CET	53	53826	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.646212101 CET	55074	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.655509949 CET	53	55074	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.661416054 CET	63574	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.671128988 CET	53	63574	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.671947956 CET	57829	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.682415009 CET	53	57829	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.683032036 CET	51020	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.690926075 CET	53	51020	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.691564083 CET	59232	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.701512098 CET	53	59232	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.702040911 CET	55422	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.711639881 CET	53	55422	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.712354898 CET	52012	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.743012905 CET	53	52012	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.743973017 CET	52194	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.753505945 CET	53	52194	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.754215956 CET	64590	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.786721945 CET	53	64590	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.787421942 CET	60664	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.798074961 CET	53	60664	1.1.1.1	192.168.2.9
Nov 7, 2024 15:38:12.798731089 CET	51309	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:38:12.808193922 CET	53	51309	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 15:36:41.050302982 CET	192.168.2.9	1.1.1.1	0xfba	Standard query (0)	leaderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.113714933 CET	192.168.2.9	1.1.1.1	0x91d0	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.146069050 CET	192.168.2.9	1.1.1.1	0x135a	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.178550005 CET	192.168.2.9	1.1.1.1	0x5e73	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.189086914 CET	192.168.2.9	1.1.1.1	0x84b8	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.199981928 CET	192.168.2.9	1.1.1.1	0xfffb	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.209950924 CET	192.168.2.9	1.1.1.1	0x5c94	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.218425035 CET	192.168.2.9	1.1.1.1	0x5d3a	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.229798079 CET	192.168.2.9	1.1.1.1	0x3880	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.294986963 CET	192.168.2.9	1.1.1.1	0xd7cf	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.305576086 CET	192.168.2.9	1.1.1.1	0xf5b0	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.316170931 CET	192.168.2.9	1.1.1.1	0xccc	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.326277971 CET	192.168.2.9	1.1.1.1	0xec0f	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.358571053 CET	192.168.2.9	1.1.1.1	0x7ca2	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.370354891 CET	192.168.2.9	1.1.1.1	0xdecc	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.382960081 CET	192.168.2.9	1.1.1.1	0x4653	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.394149065 CET	192.168.2.9	1.1.1.1	0x24a1	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.515652895 CET	192.168.2.9	1.1.1.1	0xbf4c	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.526212931 CET	192.168.2.9	1.1.1.1	0x8643	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.537807941 CET	192.168.2.9	1.1.1.1	0x76bf	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.573466063 CET	192.168.2.9	1.1.1.1	0xc5	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.581651926 CET	192.168.2.9	1.1.1.1	0x2f02	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.676578999 CET	192.168.2.9	1.1.1.1	0x5bf2	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.707760096 CET	192.168.2.9	1.1.1.1	0x8ea2	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.719074011 CET	192.168.2.9	1.1.1.1	0xe870	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.751648903 CET	192.168.2.9	1.1.1.1	0xea41	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.762927055 CET	192.168.2.9	1.1.1.1	0xbc69	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.774493933 CET	192.168.2.9	1.1.1.1	0x178f	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.783885002 CET	192.168.2.9	1.1.1.1	0xcfaf	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.794682980 CET	192.168.2.9	1.1.1.1	0x8a18	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.805752039 CET	192.168.2.9	1.1.1.1	0xefec	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.816792011 CET	192.168.2.9	1.1.1.1	0xdf9	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.827713966 CET	192.168.2.9	1.1.1.1	0x8a1a	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.839998007 CET	192.168.2.9	1.1.1.1	0x5ef9	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.850414038 CET	192.168.2.9	1.1.1.1	0x7e39	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.870445967 CET	192.168.2.9	1.1.1.1	0x6b53	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.881329060 CET	192.168.2.9	1.1.1.1	0xb7	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.912918091 CET	192.168.2.9	1.1.1.1	0xd23d	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.924460888 CET	192.168.2.9	1.1.1.1	0x2257	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.935142994 CET	192.168.2.9	1.1.1.1	0x5eaa	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.945460081 CET	192.168.2.9	1.1.1.1	0xa8ea	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.117275953 CET	192.168.2.9	1.1.1.1	0x3bba	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.150999069 CET	192.168.2.9	1.1.1.1	0x56e9	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.184061050 CET	192.168.2.9	1.1.1.1	0xc2b5	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.211770058 CET	192.168.2.9	1.1.1.1	0x533d	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.223660946 CET	192.168.2.9	1.1.1.1	0x1eb2	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.255625963 CET	192.168.2.9	1.1.1.1	0x416	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.266268015 CET	192.168.2.9	1.1.1.1	0x2c92	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.299246073 CET	192.168.2.9	1.1.1.1	0x7174	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.316246033 CET	192.168.2.9	1.1.1.1	0x17f5	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.328000069 CET	192.168.2.9	1.1.1.1	0x4367	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.360821009 CET	192.168.2.9	1.1.1.1	0x6c30	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.375619888 CET	192.168.2.9	1.1.1.1	0x1b1f	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.408478975 CET	192.168.2.9	1.1.1.1	0xcbca	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.440332890 CET	192.168.2.9	1.1.1.1	0x2231	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.451772928 CET	192.168.2.9	1.1.1.1	0x8190	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.484956026 CET	192.168.2.9	1.1.1.1	0x2fb7	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.495737076 CET	192.168.2.9	1.1.1.1	0xad7d	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.506923914 CET	192.168.2.9	1.1.1.1	0x2d3	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.517699957 CET	192.168.2.9	1.1.1.1	0x1fcc	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.556449890 CET	192.168.2.9	1.1.1.1	0xecd	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.567568064 CET	192.168.2.9	1.1.1.1	0x199	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.577343941 CET	192.168.2.9	1.1.1.1	0xda78	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.587977886 CET	192.168.2.9	1.1.1.1	0x22e8	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.598237038 CET	192.168.2.9	1.1.1.1	0xf4a2	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.607918024 CET	192.168.2.9	1.1.1.1	0x37e3	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.618236065 CET	192.168.2.9	1.1.1.1	0x634d	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.652226925 CET	192.168.2.9	1.1.1.1	0xe55	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.684583902 CET	192.168.2.9	1.1.1.1	0x6d33	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.695198059 CET	192.168.2.9	1.1.1.1	0xbd9a	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.727263927 CET	192.168.2.9	1.1.1.1	0x64f	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.738333941 CET	192.168.2.9	1.1.1.1	0xa8ad	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.749670982 CET	192.168.2.9	1.1.1.1	0x69cb	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.781754017 CET	192.168.2.9	1.1.1.1	0x9fc2	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.813451052 CET	192.168.2.9	1.1.1.1	0x91b3	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.824341059 CET	192.168.2.9	1.1.1.1	0xdee6	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.017627001 CET	192.168.2.9	1.1.1.1	0xf46	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.052763939 CET	192.168.2.9	1.1.1.1	0xe3db	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.072285891 CET	192.168.2.9	1.1.1.1	0x572a	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.292077065 CET	192.168.2.9	1.1.1.1	0xafe7	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.333009005 CET	192.168.2.9	1.1.1.1	0xd80f	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.345480919 CET	192.168.2.9	1.1.1.1	0xd7a0	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.360543966 CET	192.168.2.9	1.1.1.1	0xee0	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.374072075 CET	192.168.2.9	1.1.1.1	0x122b	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.388386011 CET	192.168.2.9	1.1.1.1	0xc309	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.400921106 CET	192.168.2.9	1.1.1.1	0x592b	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.412272930 CET	192.168.2.9	1.1.1.1	0xa7a8	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.444581985 CET	192.168.2.9	1.1.1.1	0x5f93	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.455421925 CET	192.168.2.9	1.1.1.1	0xcaf9	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.487643957 CET	192.168.2.9	1.1.1.1	0x2b94	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.519076109 CET	192.168.2.9	1.1.1.1	0xf83d	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.551376104 CET	192.168.2.9	1.1.1.1	0x932c	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.562151909 CET	192.168.2.9	1.1.1.1	0x1e21	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.595709085 CET	192.168.2.9	1.1.1.1	0xd5dc	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.628678083 CET	192.168.2.9	1.1.1.1	0x8a7e	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.639870882 CET	192.168.2.9	1.1.1.1	0xc286	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.671439886 CET	192.168.2.9	1.1.1.1	0xb100	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.703834057 CET	192.168.2.9	1.1.1.1	0x8728	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.715764999 CET	192.168.2.9	1.1.1.1	0x48d3	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.747875929 CET	192.168.2.9	1.1.1.1	0x5cb3	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.759361982 CET	192.168.2.9	1.1.1.1	0x3c60	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.793765068 CET	192.168.2.9	1.1.1.1	0x9415	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.808562040 CET	192.168.2.9	1.1.1.1	0xd43c	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.843760014 CET	192.168.2.9	1.1.1.1	0x2d32	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.859777927 CET	192.168.2.9	1.1.1.1	0xfc41	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.875865936 CET	192.168.2.9	1.1.1.1	0x15bc	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.887687922 CET	192.168.2.9	1.1.1.1	0x7c29	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.899856091 CET	192.168.2.9	1.1.1.1	0x3b9a	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.911968946 CET	192.168.2.9	1.1.1.1	0x5a3d	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.922858000 CET	192.168.2.9	1.1.1.1	0x7b08	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.933564901 CET	192.168.2.9	1.1.1.1	0x987f	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.967917919 CET	192.168.2.9	1.1.1.1	0xa74	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.980249882 CET	192.168.2.9	1.1.1.1	0x4dbe	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.059359074 CET	192.168.2.9	1.1.1.1	0xc85	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.070606947 CET	192.168.2.9	1.1.1.1	0xbae	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.104135990 CET	192.168.2.9	1.1.1.1	0x6366	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.115626097 CET	192.168.2.9	1.1.1.1	0x59dd	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.147067070 CET	192.168.2.9	1.1.1.1	0x66ec	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.179224014 CET	192.168.2.9	1.1.1.1	0x5199	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.190165043 CET	192.168.2.9	1.1.1.1	0xb63b	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.222204924 CET	192.168.2.9	1.1.1.1	0xc3a7	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.233115911 CET	192.168.2.9	1.1.1.1	0x9bc3	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.244751930 CET	192.168.2.9	1.1.1.1	0xb7af	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.255752087 CET	192.168.2.9	1.1.1.1	0x869f	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.265850067 CET	192.168.2.9	1.1.1.1	0x739f	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.278141975 CET	192.168.2.9	1.1.1.1	0xdcb4	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.288541079 CET	192.168.2.9	1.1.1.1	0xcb20	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.298264980 CET	192.168.2.9	1.1.1.1	0x2fa2	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.309112072 CET	192.168.2.9	1.1.1.1	0x5ac7	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.320065975 CET	192.168.2.9	1.1.1.1	0x8134	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.330861092 CET	192.168.2.9	1.1.1.1	0x6f2f	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.341831923 CET	192.168.2.9	1.1.1.1	0x2f78	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.352878094 CET	192.168.2.9	1.1.1.1	0x9995	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.363785982 CET	192.168.2.9	1.1.1.1	0xe06c	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.374078989 CET	192.168.2.9	1.1.1.1	0x75a3	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.534204960 CET	192.168.2.9	1.1.1.1	0x2ee3	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.545602083 CET	192.168.2.9	1.1.1.1	0x532c	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.558458090 CET	192.168.2.9	1.1.1.1	0xa9ed	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.568411112 CET	192.168.2.9	1.1.1.1	0xbad2	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.579267025 CET	192.168.2.9	1.1.1.1	0xc0f	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.589824915 CET	192.168.2.9	1.1.1.1	0x933b	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.600615025 CET	192.168.2.9	1.1.1.1	0xf48c	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.611511946 CET	192.168.2.9	1.1.1.1	0x6416	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.624106884 CET	192.168.2.9	1.1.1.1	0x5921	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.849509954 CET	192.168.2.9	1.1.1.1	0x9340	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.969439030 CET	192.168.2.9	1.1.1.1	0x1e28	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.046266079 CET	192.168.2.9	1.1.1.1	0xf6b9	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.107223034 CET	192.168.2.9	1.1.1.1	0x52ba	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.124056101 CET	192.168.2.9	1.1.1.1	0x60bb	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.207256079 CET	192.168.2.9	1.1.1.1	0xa792	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.256023884 CET	192.168.2.9	1.1.1.1	0x831	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.266679049 CET	192.168.2.9	1.1.1.1	0xc0ec	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.277908087 CET	192.168.2.9	1.1.1.1	0x5244	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.287667036 CET	192.168.2.9	1.1.1.1	0xba02	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.297483921 CET	192.168.2.9	1.1.1.1	0xd6d	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.308903933 CET	192.168.2.9	1.1.1.1	0x76fc	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.340544939 CET	192.168.2.9	1.1.1.1	0x20ca	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.352407932 CET	192.168.2.9	1.1.1.1	0x195a	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.363579988 CET	192.168.2.9	1.1.1.1	0x1b5	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.327754021 CET	192.168.2.9	1.1.1.1	0xd7a2	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.365700006 CET	192.168.2.9	1.1.1.1	0xab62	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.379012108 CET	192.168.2.9	1.1.1.1	0x534d	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.391803980 CET	192.168.2.9	1.1.1.1	0xe4a5	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.404449940 CET	192.168.2.9	1.1.1.1	0x3e1d	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.418750048 CET	192.168.2.9	1.1.1.1	0x775a	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.433476925 CET	192.168.2.9	1.1.1.1	0xef07	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.446676970 CET	192.168.2.9	1.1.1.1	0xf1da	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.463345051 CET	192.168.2.9	1.1.1.1	0xa4d7	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.477776051 CET	192.168.2.9	1.1.1.1	0x4286	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.511151075 CET	192.168.2.9	1.1.1.1	0x76bd	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:37:06.214005947 CET	192.168.2.9	1.1.1.1	0x5e16	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:00.705576897 CET	192.168.2.9	1.1.1.1	0xda8a	Standard query (0)	leaderstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.434281111 CET	192.168.2.9	1.1.1.1	0x1e0f	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.449757099 CET	192.168.2.9	1.1.1.1	0x6ef9	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.480940104 CET	192.168.2.9	1.1.1.1	0x447d	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.492161989 CET	192.168.2.9	1.1.1.1	0x684c	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.523597002 CET	192.168.2.9	1.1.1.1	0xda23	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.555818081 CET	192.168.2.9	1.1.1.1	0x9bb4	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.566469908 CET	192.168.2.9	1.1.1.1	0x80d3	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.579246998 CET	192.168.2.9	1.1.1.1	0x466c	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.590675116 CET	192.168.2.9	1.1.1.1	0xc7c8	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.627125025 CET	192.168.2.9	1.1.1.1	0xc916	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.640749931 CET	192.168.2.9	1.1.1.1	0x1b2a	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.652466059 CET	192.168.2.9	1.1.1.1	0x508f	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.664535046 CET	192.168.2.9	1.1.1.1	0x101b	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.699783087 CET	192.168.2.9	1.1.1.1	0x3d6f	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.711258888 CET	192.168.2.9	1.1.1.1	0xce10	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.494620085 CET	192.168.2.9	1.1.1.1	0xaa4e	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.505470991 CET	192.168.2.9	1.1.1.1	0x865	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.523715973 CET	192.168.2.9	1.1.1.1	0x3c51	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.564419985 CET	192.168.2.9	1.1.1.1	0xaf47	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.447999001 CET	192.168.2.9	1.1.1.1	0xb876	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.459145069 CET	192.168.2.9	1.1.1.1	0x2791	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.469917059 CET	192.168.2.9	1.1.1.1	0x5403	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.481355906 CET	192.168.2.9	1.1.1.1	0x513	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.514487982 CET	192.168.2.9	1.1.1.1	0xb975	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.525979996 CET	192.168.2.9	1.1.1.1	0x5499	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.561388016 CET	192.168.2.9	1.1.1.1	0xa963	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.572221994 CET	192.168.2.9	1.1.1.1	0xed71	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.583705902 CET	192.168.2.9	1.1.1.1	0x5586	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.594896078 CET	192.168.2.9	1.1.1.1	0x88f1	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.605921984 CET	192.168.2.9	1.1.1.1	0x168f	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.616014004 CET	192.168.2.9	1.1.1.1	0x1b09	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.647259951 CET	192.168.2.9	1.1.1.1	0x15d1	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.679900885 CET	192.168.2.9	1.1.1.1	0xafce	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.691441059 CET	192.168.2.9	1.1.1.1	0xd797	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.723258972 CET	192.168.2.9	1.1.1.1	0x45f8	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.734639883 CET	192.168.2.9	1.1.1.1	0x6ad9	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.746566057 CET	192.168.2.9	1.1.1.1	0xc568	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.782071114 CET	192.168.2.9	1.1.1.1	0xceb1	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.793514013 CET	192.168.2.9	1.1.1.1	0x299b	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.826812983 CET	192.168.2.9	1.1.1.1	0xd882	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.859863043 CET	192.168.2.9	1.1.1.1	0x1ffb	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.872095108 CET	192.168.2.9	1.1.1.1	0xcc49	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.884603977 CET	192.168.2.9	1.1.1.1	0x5429	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.896188974 CET	192.168.2.9	1.1.1.1	0x81ae	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.907762051 CET	192.168.2.9	1.1.1.1	0x4bc3	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.921868086 CET	192.168.2.9	1.1.1.1	0xfdd5	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.934529066 CET	192.168.2.9	1.1.1.1	0xe230	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.968933105 CET	192.168.2.9	1.1.1.1	0x43cf	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.002526999 CET	192.168.2.9	1.1.1.1	0x149	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.014982939 CET	192.168.2.9	1.1.1.1	0x3d88	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.028012991 CET	192.168.2.9	1.1.1.1	0xed0b	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.037992954 CET	192.168.2.9	1.1.1.1	0xe42	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.073146105 CET	192.168.2.9	1.1.1.1	0x87f2	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.131933928 CET	192.168.2.9	1.1.1.1	0x24b5	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.145687103 CET	192.168.2.9	1.1.1.1	0x555	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.194144011 CET	192.168.2.9	1.1.1.1	0x40a0	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.231611967 CET	192.168.2.9	1.1.1.1	0x431	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.243499041 CET	192.168.2.9	1.1.1.1	0x617c	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.258845091 CET	192.168.2.9	1.1.1.1	0x4689	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.312292099 CET	192.168.2.9	1.1.1.1	0xb9ae	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.362745047 CET	192.168.2.9	1.1.1.1	0x2ec6	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.416191101 CET	192.168.2.9	1.1.1.1	0xed31	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.467833042 CET	192.168.2.9	1.1.1.1	0x7054	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.481424093 CET	192.168.2.9	1.1.1.1	0x5021	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.518603086 CET	192.168.2.9	1.1.1.1	0x935c	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.531332970 CET	192.168.2.9	1.1.1.1	0xe6b2	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.586497068 CET	192.168.2.9	1.1.1.1	0x7317	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.606601954 CET	192.168.2.9	1.1.1.1	0x1f29	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.633968115 CET	192.168.2.9	1.1.1.1	0x8a5b	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.646538973 CET	192.168.2.9	1.1.1.1	0x34f	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.657613039 CET	192.168.2.9	1.1.1.1	0xb19e	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:06.312278986 CET	192.168.2.9	1.1.1.1	0xfde4	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.300549030 CET	192.168.2.9	1.1.1.1	0x1e5b	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.312066078 CET	192.168.2.9	1.1.1.1	0x22b0	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.325910091 CET	192.168.2.9	1.1.1.1	0x57b7	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.337703943 CET	192.168.2.9	1.1.1.1	0xabef	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.349519968 CET	192.168.2.9	1.1.1.1	0x6fe0	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.361692905 CET	192.168.2.9	1.1.1.1	0xdb2a	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.374377966 CET	192.168.2.9	1.1.1.1	0xc1d9	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.385550976 CET	192.168.2.9	1.1.1.1	0xffb2	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.397151947 CET	192.168.2.9	1.1.1.1	0xd582	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.407959938 CET	192.168.2.9	1.1.1.1	0x81c6	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.424644947 CET	192.168.2.9	1.1.1.1	0x7958	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.435441971 CET	192.168.2.9	1.1.1.1	0x92c4	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.469670057 CET	192.168.2.9	1.1.1.1	0x10a2	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.491621017 CET	192.168.2.9	1.1.1.1	0x8b06	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.507894039 CET	192.168.2.9	1.1.1.1	0xc535	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.520184040 CET	192.168.2.9	1.1.1.1	0x3e84	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.690572977 CET	192.168.2.9	1.1.1.1	0xfe4a	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.702745914 CET	192.168.2.9	1.1.1.1	0xbebe	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.713032961 CET	192.168.2.9	1.1.1.1	0x2b19	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.723011017 CET	192.168.2.9	1.1.1.1	0x2fa	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.733150959 CET	192.168.2.9	1.1.1.1	0xa72e	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.742877007 CET	192.168.2.9	1.1.1.1	0xd532	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.754760027 CET	192.168.2.9	1.1.1.1	0xe759	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.764802933 CET	192.168.2.9	1.1.1.1	0x4155	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.777291059 CET	192.168.2.9	1.1.1.1	0xe709	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.456933975 CET	192.168.2.9	1.1.1.1	0x2408	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.489557981 CET	192.168.2.9	1.1.1.1	0xc789	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.501261950 CET	192.168.2.9	1.1.1.1	0x5b3b	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.512903929 CET	192.168.2.9	1.1.1.1	0xbdb0	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.550962925 CET	192.168.2.9	1.1.1.1	0xe116	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.562419891 CET	192.168.2.9	1.1.1.1	0x15c7	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.573869944 CET	192.168.2.9	1.1.1.1	0x54b	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.584475994 CET	192.168.2.9	1.1.1.1	0x7526	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.616604090 CET	192.168.2.9	1.1.1.1	0x73e0	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.628298044 CET	192.168.2.9	1.1.1.1	0xc0da	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.499733925 CET	192.168.2.9	1.1.1.1	0xe5bc	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.673497915 CET	192.168.2.9	1.1.1.1	0xa7ea	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.687664986 CET	192.168.2.9	1.1.1.1	0x5c6b	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.699076891 CET	192.168.2.9	1.1.1.1	0x10a4	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.711070061 CET	192.168.2.9	1.1.1.1	0x22b1	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.721386909 CET	192.168.2.9	1.1.1.1	0xcac	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.733007908 CET	192.168.2.9	1.1.1.1	0xe71c	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.765816927 CET	192.168.2.9	1.1.1.1	0x3c17	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.777429104 CET	192.168.2.9	1.1.1.1	0x6340	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.789052963 CET	192.168.2.9	1.1.1.1	0x1fec	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.800043106 CET	192.168.2.9	1.1.1.1	0xca74	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.811073065 CET	192.168.2.9	1.1.1.1	0xb11d	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.822252989 CET	192.168.2.9	1.1.1.1	0xaa47	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.833317995 CET	192.168.2.9	1.1.1.1	0xf8cb	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.843699932 CET	192.168.2.9	1.1.1.1	0x6080	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.876708984 CET	192.168.2.9	1.1.1.1	0xe60e	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.888058901 CET	192.168.2.9	1.1.1.1	0x30fd	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.899601936 CET	192.168.2.9	1.1.1.1	0xf8fb	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.911302090 CET	192.168.2.9	1.1.1.1	0xc692	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.923322916 CET	192.168.2.9	1.1.1.1	0xd059	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.941585064 CET	192.168.2.9	1.1.1.1	0xb7fe	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.951515913 CET	192.168.2.9	1.1.1.1	0xb3a3	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.962820053 CET	192.168.2.9	1.1.1.1	0x3dcc	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.974587917 CET	192.168.2.9	1.1.1.1	0x8da7	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.986459017 CET	192.168.2.9	1.1.1.1	0xad8d	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.996877909 CET	192.168.2.9	1.1.1.1	0xc3d	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.007050991 CET	192.168.2.9	1.1.1.1	0xf3f2	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.038011074 CET	192.168.2.9	1.1.1.1	0x46e7	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.047962904 CET	192.168.2.9	1.1.1.1	0xd05c	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.058316946 CET	192.168.2.9	1.1.1.1	0x764f	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.068182945 CET	192.168.2.9	1.1.1.1	0x7de8	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.099337101 CET	192.168.2.9	1.1.1.1	0x6822	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.132664919 CET	192.168.2.9	1.1.1.1	0x5140	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.144793987 CET	192.168.2.9	1.1.1.1	0xd4df	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.156441927 CET	192.168.2.9	1.1.1.1	0xc87e	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.313602924 CET	192.168.2.9	1.1.1.1	0x91fd	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.324788094 CET	192.168.2.9	1.1.1.1	0x4797	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.335685968 CET	192.168.2.9	1.1.1.1	0x90c2	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.491254091 CET	192.168.2.9	1.1.1.1	0x853b	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.658339977 CET	192.168.2.9	1.1.1.1	0x309f	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.669090033 CET	192.168.2.9	1.1.1.1	0xf235	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.680232048 CET	192.168.2.9	1.1.1.1	0xddb9	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.691948891 CET	192.168.2.9	1.1.1.1	0xfae7	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.724044085 CET	192.168.2.9	1.1.1.1	0x98ef	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.734709978 CET	192.168.2.9	1.1.1.1	0xc6e5	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.646212101 CET	192.168.2.9	1.1.1.1	0x36c5	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.661416054 CET	192.168.2.9	1.1.1.1	0xcd6f	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.671947956 CET	192.168.2.9	1.1.1.1	0x7447	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.683032036 CET	192.168.2.9	1.1.1.1	0x449c	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.691564083 CET	192.168.2.9	1.1.1.1	0xa4bd	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.702040911 CET	192.168.2.9	1.1.1.1	0xda79	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.712354898 CET	192.168.2.9	1.1.1.1	0x624b	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.743973017 CET	192.168.2.9	1.1.1.1	0xdf36	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.754215956 CET	192.168.2.9	1.1.1.1	0x2d6d	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.787421942 CET	192.168.2.9	1.1.1.1	0x9f01	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.798731089 CET	192.168.2.9	1.1.1.1	0xdef4	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 15:36:32.551434994 CET	1.1.1.1	192.168.2.9	0xa45e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:36:32.551434994 CET	1.1.1.1	192.168.2.9	0xa45e	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:36:32.551434994 CET	1.1.1.1	192.168.2.9	0xa45e	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.145225048 CET	1.1.1.1	192.168.2.9	0x91d0	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.177762985 CET	1.1.1.1	192.168.2.9	0x135a	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.188525915 CET	1.1.1.1	192.168.2.9	0x5e73	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.199429035 CET	1.1.1.1	192.168.2.9	0x84b8	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.207257986 CET	1.1.1.1	192.168.2.9	0xfffb	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.217824936 CET	1.1.1.1	192.168.2.9	0x5c94	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.229033947 CET	1.1.1.1	192.168.2.9	0x5d3a	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.260451078 CET	1.1.1.1	192.168.2.9	0x3880	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.304614067 CET	1.1.1.1	192.168.2.9	0xd7cf	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.315557003 CET	1.1.1.1	192.168.2.9	0xf5b0	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.325692892 CET	1.1.1.1	192.168.2.9	0xccc	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.357922077 CET	1.1.1.1	192.168.2.9	0xec0f	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.368921041 CET	1.1.1.1	192.168.2.9	0x7ca2	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.380630970 CET	1.1.1.1	192.168.2.9	0xdecc	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.393460035 CET	1.1.1.1	192.168.2.9	0x4653	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:41.788630962 CET	1.1.1.1	192.168.2.9	0x24a1	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:36:41.788630962 CET	1.1.1.1	192.168.2.9	0x24a1	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.525423050 CET	1.1.1.1	192.168.2.9	0xbf4c	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.537184000 CET	1.1.1.1	192.168.2.9	0x8643	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.572504044 CET	1.1.1.1	192.168.2.9	0x76bf	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.581011057 CET	1.1.1.1	192.168.2.9	0xc5	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:42.777832985 CET	1.1.1.1	192.168.2.9	0x2f02	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.706975937 CET	1.1.1.1	192.168.2.9	0x5bf2	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.718275070 CET	1.1.1.1	192.168.2.9	0x8ea2	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.750669003 CET	1.1.1.1	192.168.2.9	0xe870	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.761961937 CET	1.1.1.1	192.168.2.9	0xea41	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.773670912 CET	1.1.1.1	192.168.2.9	0xbc69	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.783243895 CET	1.1.1.1	192.168.2.9	0x178f	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.794020891 CET	1.1.1.1	192.168.2.9	0xcfaf	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.805041075 CET	1.1.1.1	192.168.2.9	0x8a18	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.816159964 CET	1.1.1.1	192.168.2.9	0xefec	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.827109098 CET	1.1.1.1	192.168.2.9	0xdf9	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.839308977 CET	1.1.1.1	192.168.2.9	0x8a1a	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.849375963 CET	1.1.1.1	192.168.2.9	0x5ef9	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.861718893 CET	1.1.1.1	192.168.2.9	0x7e39	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.880482912 CET	1.1.1.1	192.168.2.9	0x6b53	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.912039995 CET	1.1.1.1	192.168.2.9	0xb7	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.923182964 CET	1.1.1.1	192.168.2.9	0xd23d	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.934474945 CET	1.1.1.1	192.168.2.9	0x2257	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:44.944849968 CET	1.1.1.1	192.168.2.9	0x5eaa	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.116229057 CET	1.1.1.1	192.168.2.9	0xa8ea	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.150058031 CET	1.1.1.1	192.168.2.9	0x3bba	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.183279991 CET	1.1.1.1	192.168.2.9	0x56e9	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.195185900 CET	1.1.1.1	192.168.2.9	0xc2b5	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.222891092 CET	1.1.1.1	192.168.2.9	0x533d	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.254772902 CET	1.1.1.1	192.168.2.9	0x1eb2	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.265538931 CET	1.1.1.1	192.168.2.9	0x416	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.298223972 CET	1.1.1.1	192.168.2.9	0x2c92	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.315295935 CET	1.1.1.1	192.168.2.9	0x7174	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.327004910 CET	1.1.1.1	192.168.2.9	0x17f5	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.359874964 CET	1.1.1.1	192.168.2.9	0x4367	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.374948025 CET	1.1.1.1	192.168.2.9	0x6c30	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.407706976 CET	1.1.1.1	192.168.2.9	0x1b1f	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.439616919 CET	1.1.1.1	192.168.2.9	0xcbca	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.451114893 CET	1.1.1.1	192.168.2.9	0x2231	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.484122992 CET	1.1.1.1	192.168.2.9	0x8190	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.495126963 CET	1.1.1.1	192.168.2.9	0x2fb7	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.506206036 CET	1.1.1.1	192.168.2.9	0xad7d	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.517035007 CET	1.1.1.1	192.168.2.9	0x2d3	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.549072027 CET	1.1.1.1	192.168.2.9	0x1fcc	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.566492081 CET	1.1.1.1	192.168.2.9	0xecd	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.576580048 CET	1.1.1.1	192.168.2.9	0x199	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.587358952 CET	1.1.1.1	192.168.2.9	0xda78	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.597523928 CET	1.1.1.1	192.168.2.9	0x22e8	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.607342958 CET	1.1.1.1	192.168.2.9	0xf4a2	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.617626905 CET	1.1.1.1	192.168.2.9	0x37e3	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.651417971 CET	1.1.1.1	192.168.2.9	0x634d	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.683784008 CET	1.1.1.1	192.168.2.9	0xe55	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.694428921 CET	1.1.1.1	192.168.2.9	0x6d33	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.726552010 CET	1.1.1.1	192.168.2.9	0xbd9a	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.737709999 CET	1.1.1.1	192.168.2.9	0x64f	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.749027014 CET	1.1.1.1	192.168.2.9	0xa8ad	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.780922890 CET	1.1.1.1	192.168.2.9	0x69cb	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.812597036 CET	1.1.1.1	192.168.2.9	0x9fc2	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:45.823563099 CET	1.1.1.1	192.168.2.9	0x91b3	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:46.015868902 CET	1.1.1.1	192.168.2.9	0xdee6	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.051615000 CET	1.1.1.1	192.168.2.9	0xf46	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.061992884 CET	1.1.1.1	192.168.2.9	0xe3db	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.233160019 CET	1.1.1.1	192.168.2.9	0x572a	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.324249029 CET	1.1.1.1	192.168.2.9	0xafe7	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.342902899 CET	1.1.1.1	192.168.2.9	0xd80f	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.356717110 CET	1.1.1.1	192.168.2.9	0xd7a0	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.370729923 CET	1.1.1.1	192.168.2.9	0xee0	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.384047985 CET	1.1.1.1	192.168.2.9	0x122b	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.397938013 CET	1.1.1.1	192.168.2.9	0xc309	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.411195993 CET	1.1.1.1	192.168.2.9	0x592b	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.443680048 CET	1.1.1.1	192.168.2.9	0xa7a8	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.454735994 CET	1.1.1.1	192.168.2.9	0x5f93	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.486695051 CET	1.1.1.1	192.168.2.9	0xcaf9	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.517868996 CET	1.1.1.1	192.168.2.9	0x2b94	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.550509930 CET	1.1.1.1	192.168.2.9	0xf83d	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.561275005 CET	1.1.1.1	192.168.2.9	0x932c	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.594464064 CET	1.1.1.1	192.168.2.9	0x1e21	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.627815008 CET	1.1.1.1	192.168.2.9	0xd5dc	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.639123917 CET	1.1.1.1	192.168.2.9	0x8a7e	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.670681953 CET	1.1.1.1	192.168.2.9	0xc286	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.702897072 CET	1.1.1.1	192.168.2.9	0xb100	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.714945078 CET	1.1.1.1	192.168.2.9	0x8728	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.746973038 CET	1.1.1.1	192.168.2.9	0x48d3	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.758708954 CET	1.1.1.1	192.168.2.9	0x5cb3	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:47.792493105 CET	1.1.1.1	192.168.2.9	0x3c60	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.175153971 CET	1.1.1.1	192.168.2.9	0x9415	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:36:48.175153971 CET	1.1.1.1	192.168.2.9	0x9415	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.840154886 CET	1.1.1.1	192.168.2.9	0xd43c	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.855289936 CET	1.1.1.1	192.168.2.9	0x2d32	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.871088028 CET	1.1.1.1	192.168.2.9	0xfc41	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.885462046 CET	1.1.1.1	192.168.2.9	0x15bc	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.896287918 CET	1.1.1.1	192.168.2.9	0x7c29	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.909605026 CET	1.1.1.1	192.168.2.9	0x3b9a	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.922087908 CET	1.1.1.1	192.168.2.9	0x5a3d	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.932671070 CET	1.1.1.1	192.168.2.9	0x7b08	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.964040995 CET	1.1.1.1	192.168.2.9	0x987f	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:48.978276968 CET	1.1.1.1	192.168.2.9	0xa74	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:49.183183908 CET	1.1.1.1	192.168.2.9	0x4dbe	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.069937944 CET	1.1.1.1	192.168.2.9	0xc85	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.102983952 CET	1.1.1.1	192.168.2.9	0xbae	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.113197088 CET	1.1.1.1	192.168.2.9	0x6366	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.146121025 CET	1.1.1.1	192.168.2.9	0x59dd	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.178510904 CET	1.1.1.1	192.168.2.9	0x66ec	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.189460993 CET	1.1.1.1	192.168.2.9	0x5199	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.221637964 CET	1.1.1.1	192.168.2.9	0xb63b	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.232311010 CET	1.1.1.1	192.168.2.9	0xc3a7	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.244137049 CET	1.1.1.1	192.168.2.9	0x9bc3	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.255127907 CET	1.1.1.1	192.168.2.9	0xb7af	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.265244961 CET	1.1.1.1	192.168.2.9	0x869f	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.277667999 CET	1.1.1.1	192.168.2.9	0x739f	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.288007021 CET	1.1.1.1	192.168.2.9	0xdcb4	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.297745943 CET	1.1.1.1	192.168.2.9	0xcb20	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.308209896 CET	1.1.1.1	192.168.2.9	0x2fa2	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.319504023 CET	1.1.1.1	192.168.2.9	0x5ac7	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.330214977 CET	1.1.1.1	192.168.2.9	0x8134	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.341267109 CET	1.1.1.1	192.168.2.9	0x6f2f	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.352261066 CET	1.1.1.1	192.168.2.9	0x2f78	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.362915039 CET	1.1.1.1	192.168.2.9	0x9995	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.373195887 CET	1.1.1.1	192.168.2.9	0xe06c	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.533394098 CET	1.1.1.1	192.168.2.9	0x75a3	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.544598103 CET	1.1.1.1	192.168.2.9	0x2ee3	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.556175947 CET	1.1.1.1	192.168.2.9	0x532c	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.567590952 CET	1.1.1.1	192.168.2.9	0xa9ed	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.578109026 CET	1.1.1.1	192.168.2.9	0xbad2	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.588618994 CET	1.1.1.1	192.168.2.9	0xc0f	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.599906921 CET	1.1.1.1	192.168.2.9	0x933b	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.610681057 CET	1.1.1.1	192.168.2.9	0xf48c	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.622925997 CET	1.1.1.1	192.168.2.9	0x6416	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.787349939 CET	1.1.1.1	192.168.2.9	0x5921	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:51.881700993 CET	1.1.1.1	192.168.2.9	0x9340	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.001473904 CET	1.1.1.1	192.168.2.9	0x1e28	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.055713892 CET	1.1.1.1	192.168.2.9	0xf6b9	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.117743969 CET	1.1.1.1	192.168.2.9	0x52ba	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.155544043 CET	1.1.1.1	192.168.2.9	0x60bb	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.238694906 CET	1.1.1.1	192.168.2.9	0xa792	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.265528917 CET	1.1.1.1	192.168.2.9	0x831	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.277210951 CET	1.1.1.1	192.168.2.9	0xc0ec	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.286815882 CET	1.1.1.1	192.168.2.9	0x5244	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.296794891 CET	1.1.1.1	192.168.2.9	0xba02	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.307910919 CET	1.1.1.1	192.168.2.9	0xd6d	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.339756966 CET	1.1.1.1	192.168.2.9	0x76fc	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.351840019 CET	1.1.1.1	192.168.2.9	0x20ca	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.362927914 CET	1.1.1.1	192.168.2.9	0x195a	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:52.411211967 CET	1.1.1.1	192.168.2.9	0x1b5	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.364907980 CET	1.1.1.1	192.168.2.9	0xd7a2	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.378197908 CET	1.1.1.1	192.168.2.9	0xab62	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.391110897 CET	1.1.1.1	192.168.2.9	0x534d	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.403758049 CET	1.1.1.1	192.168.2.9	0xe4a5	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.416626930 CET	1.1.1.1	192.168.2.9	0x3e1d	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.432708979 CET	1.1.1.1	192.168.2.9	0x775a	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.445683002 CET	1.1.1.1	192.168.2.9	0xef07	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.459511995 CET	1.1.1.1	192.168.2.9	0xf1da	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.474066973 CET	1.1.1.1	192.168.2.9	0xa4d7	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.510129929 CET	1.1.1.1	192.168.2.9	0x4286	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:36:53.523245096 CET	1.1.1.1	192.168.2.9	0x76bd	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:37:06.223705053 CET	1.1.1.1	192.168.2.9	0x5e16	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.449049950 CET	1.1.1.1	192.168.2.9	0x1e0f	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.480163097 CET	1.1.1.1	192.168.2.9	0x6ef9	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.491534948 CET	1.1.1.1	192.168.2.9	0x447d	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.522877932 CET	1.1.1.1	192.168.2.9	0x684c	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.554927111 CET	1.1.1.1	192.168.2.9	0xda23	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.565845966 CET	1.1.1.1	192.168.2.9	0x9bb4	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.577357054 CET	1.1.1.1	192.168.2.9	0x80d3	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.589478016 CET	1.1.1.1	192.168.2.9	0x466c	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.622051001 CET	1.1.1.1	192.168.2.9	0xc7c8	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.639750957 CET	1.1.1.1	192.168.2.9	0xc916	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.650511980 CET	1.1.1.1	192.168.2.9	0x1b2a	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.662019968 CET	1.1.1.1	192.168.2.9	0x508f	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.696595907 CET	1.1.1.1	192.168.2.9	0x101b	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.710567951 CET	1.1.1.1	192.168.2.9	0x3d6f	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:01.742269993 CET	1.1.1.1	192.168.2.9	0xce10	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.504389048 CET	1.1.1.1	192.168.2.9	0xaa4e	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.515393972 CET	1.1.1.1	192.168.2.9	0x865	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.556268930 CET	1.1.1.1	192.168.2.9	0x3c51	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:02.574297905 CET	1.1.1.1	192.168.2.9	0xaf47	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.458347082 CET	1.1.1.1	192.168.2.9	0xb876	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.469228029 CET	1.1.1.1	192.168.2.9	0x2791	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.480494976 CET	1.1.1.1	192.168.2.9	0x5403	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.513540983 CET	1.1.1.1	192.168.2.9	0x513	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.525290966 CET	1.1.1.1	192.168.2.9	0xb975	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.560516119 CET	1.1.1.1	192.168.2.9	0x5499	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.571487904 CET	1.1.1.1	192.168.2.9	0xa963	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.582988024 CET	1.1.1.1	192.168.2.9	0xed71	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.594140053 CET	1.1.1.1	192.168.2.9	0x5586	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.605259895 CET	1.1.1.1	192.168.2.9	0x88f1	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.615406990 CET	1.1.1.1	192.168.2.9	0x168f	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.646536112 CET	1.1.1.1	192.168.2.9	0x1b09	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.678975105 CET	1.1.1.1	192.168.2.9	0x15d1	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.690696955 CET	1.1.1.1	192.168.2.9	0xafce	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.722465038 CET	1.1.1.1	192.168.2.9	0xd797	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.733623028 CET	1.1.1.1	192.168.2.9	0x45f8	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.745835066 CET	1.1.1.1	192.168.2.9	0x6ad9	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.781147957 CET	1.1.1.1	192.168.2.9	0xc568	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.792872906 CET	1.1.1.1	192.168.2.9	0xceb1	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.825900078 CET	1.1.1.1	192.168.2.9	0x299b	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.858939886 CET	1.1.1.1	192.168.2.9	0xd882	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.871344090 CET	1.1.1.1	192.168.2.9	0x1ffb	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.883877039 CET	1.1.1.1	192.168.2.9	0xcc49	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.895503998 CET	1.1.1.1	192.168.2.9	0x5429	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.907083035 CET	1.1.1.1	192.168.2.9	0x81ae	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.921077013 CET	1.1.1.1	192.168.2.9	0x4bc3	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.933444023 CET	1.1.1.1	192.168.2.9	0xfdd5	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:04.967891932 CET	1.1.1.1	192.168.2.9	0xe230	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.001133919 CET	1.1.1.1	192.168.2.9	0x43cf	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.013895988 CET	1.1.1.1	192.168.2.9	0x149	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.026895046 CET	1.1.1.1	192.168.2.9	0x3d88	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.037261009 CET	1.1.1.1	192.168.2.9	0xed0b	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.072228909 CET	1.1.1.1	192.168.2.9	0xe42	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.107861996 CET	1.1.1.1	192.168.2.9	0x87f2	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.144309998 CET	1.1.1.1	192.168.2.9	0x24b5	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.156295061 CET	1.1.1.1	192.168.2.9	0x555	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.225006104 CET	1.1.1.1	192.168.2.9	0x40a0	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.242798090 CET	1.1.1.1	192.168.2.9	0x431	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.253448963 CET	1.1.1.1	192.168.2.9	0x617c	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.289071083 CET	1.1.1.1	192.168.2.9	0x4689	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.344784975 CET	1.1.1.1	192.168.2.9	0xb9ae	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.394434929 CET	1.1.1.1	192.168.2.9	0x2ec6	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.446806908 CET	1.1.1.1	192.168.2.9	0xed31	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.478264093 CET	1.1.1.1	192.168.2.9	0x7054	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.517384052 CET	1.1.1.1	192.168.2.9	0x5021	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.529195070 CET	1.1.1.1	192.168.2.9	0x935c	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.540546894 CET	1.1.1.1	192.168.2.9	0xe6b2	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.605618000 CET	1.1.1.1	192.168.2.9	0x7317	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.633152962 CET	1.1.1.1	192.168.2.9	0x1f29	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.645726919 CET	1.1.1.1	192.168.2.9	0x8a5b	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:05.656874895 CET	1.1.1.1	192.168.2.9	0x34f	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:06.343605042 CET	1.1.1.1	192.168.2.9	0xfde4	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.311254978 CET	1.1.1.1	192.168.2.9	0x1e5b	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.324434996 CET	1.1.1.1	192.168.2.9	0x22b0	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.336504936 CET	1.1.1.1	192.168.2.9	0x57b7	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.348666906 CET	1.1.1.1	192.168.2.9	0xabef	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.359586954 CET	1.1.1.1	192.168.2.9	0x6fe0	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.373624086 CET	1.1.1.1	192.168.2.9	0xdb2a	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.384836912 CET	1.1.1.1	192.168.2.9	0xc1d9	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.396369934 CET	1.1.1.1	192.168.2.9	0xffb2	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.407377958 CET	1.1.1.1	192.168.2.9	0xd582	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.423894882 CET	1.1.1.1	192.168.2.9	0x81c6	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.434694052 CET	1.1.1.1	192.168.2.9	0x7958	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.468769073 CET	1.1.1.1	192.168.2.9	0x92c4	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.490694046 CET	1.1.1.1	192.168.2.9	0x10a2	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.502863884 CET	1.1.1.1	192.168.2.9	0x8b06	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.517951965 CET	1.1.1.1	192.168.2.9	0xc535	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.689591885 CET	1.1.1.1	192.168.2.9	0x3e84	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.702162981 CET	1.1.1.1	192.168.2.9	0xfe4a	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.712467909 CET	1.1.1.1	192.168.2.9	0xbebe	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.722544909 CET	1.1.1.1	192.168.2.9	0x2b19	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.732669115 CET	1.1.1.1	192.168.2.9	0x2fa	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.742307901 CET	1.1.1.1	192.168.2.9	0xa72e	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.753990889 CET	1.1.1.1	192.168.2.9	0xd532	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.764252901 CET	1.1.1.1	192.168.2.9	0xe759	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.776774883 CET	1.1.1.1	192.168.2.9	0x4155	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:07.788712025 CET	1.1.1.1	192.168.2.9	0xe709	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.488342047 CET	1.1.1.1	192.168.2.9	0x2408	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.500252962 CET	1.1.1.1	192.168.2.9	0xc789	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.512100935 CET	1.1.1.1	192.168.2.9	0x5b3b	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.545036077 CET	1.1.1.1	192.168.2.9	0xbdb0	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.561583996 CET	1.1.1.1	192.168.2.9	0xe116	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.573133945 CET	1.1.1.1	192.168.2.9	0x15c7	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.583730936 CET	1.1.1.1	192.168.2.9	0x54b	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.615607023 CET	1.1.1.1	192.168.2.9	0x7526	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.627393961 CET	1.1.1.1	192.168.2.9	0x73e0	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:08.638802052 CET	1.1.1.1	192.168.2.9	0xc0da	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.672561884 CET	1.1.1.1	192.168.2.9	0xe5bc	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.686836004 CET	1.1.1.1	192.168.2.9	0xa7ea	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.698169947 CET	1.1.1.1	192.168.2.9	0x5c6b	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.710377932 CET	1.1.1.1	192.168.2.9	0x10a4	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.720669031 CET	1.1.1.1	192.168.2.9	0x22b1	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.732326031 CET	1.1.1.1	192.168.2.9	0xcac	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.765047073 CET	1.1.1.1	192.168.2.9	0xe71c	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.776478052 CET	1.1.1.1	192.168.2.9	0x3c17	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.788181067 CET	1.1.1.1	192.168.2.9	0x6340	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.799160957 CET	1.1.1.1	192.168.2.9	0x1fec	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.810364962 CET	1.1.1.1	192.168.2.9	0xca74	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.821604967 CET	1.1.1.1	192.168.2.9	0xb11d	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.832634926 CET	1.1.1.1	192.168.2.9	0xaa47	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.843082905 CET	1.1.1.1	192.168.2.9	0xf8cb	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.875849962 CET	1.1.1.1	192.168.2.9	0x6080	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.887226105 CET	1.1.1.1	192.168.2.9	0xe60e	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.898766041 CET	1.1.1.1	192.168.2.9	0x30fd	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.910420895 CET	1.1.1.1	192.168.2.9	0xf8fb	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.922327042 CET	1.1.1.1	192.168.2.9	0xc692	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.938925028 CET	1.1.1.1	192.168.2.9	0xd059	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.950731039 CET	1.1.1.1	192.168.2.9	0xb7fe	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.962107897 CET	1.1.1.1	192.168.2.9	0xb3a3	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.973789930 CET	1.1.1.1	192.168.2.9	0x3dcc	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.985744953 CET	1.1.1.1	192.168.2.9	0x8da7	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:10.996197939 CET	1.1.1.1	192.168.2.9	0xad8d	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.006370068 CET	1.1.1.1	192.168.2.9	0xc3d	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.037195921 CET	1.1.1.1	192.168.2.9	0xf3f2	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.047250986 CET	1.1.1.1	192.168.2.9	0x46e7	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.057559013 CET	1.1.1.1	192.168.2.9	0xd05c	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.067289114 CET	1.1.1.1	192.168.2.9	0x764f	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.098397017 CET	1.1.1.1	192.168.2.9	0x7de8	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.131788015 CET	1.1.1.1	192.168.2.9	0x6822	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.143851042 CET	1.1.1.1	192.168.2.9	0x5140	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.155627012 CET	1.1.1.1	192.168.2.9	0xd4df	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.312732935 CET	1.1.1.1	192.168.2.9	0xc87e	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.323893070 CET	1.1.1.1	192.168.2.9	0x91fd	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.334952116 CET	1.1.1.1	192.168.2.9	0x4797	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.490267992 CET	1.1.1.1	192.168.2.9	0x90c2	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.657113075 CET	1.1.1.1	192.168.2.9	0x853b	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.668025017 CET	1.1.1.1	192.168.2.9	0x309f	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.679255962 CET	1.1.1.1	192.168.2.9	0xf235	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.689918995 CET	1.1.1.1	192.168.2.9	0xddb9	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.722966909 CET	1.1.1.1	192.168.2.9	0xfae7	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.734047890 CET	1.1.1.1	192.168.2.9	0x98ef	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:11.766438961 CET	1.1.1.1	192.168.2.9	0xc6e5	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.655509949 CET	1.1.1.1	192.168.2.9	0x36c5	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.671128988 CET	1.1.1.1	192.168.2.9	0xcd6f	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.682415009 CET	1.1.1.1	192.168.2.9	0x7447	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.690926075 CET	1.1.1.1	192.168.2.9	0x449c	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.701512098 CET	1.1.1.1	192.168.2.9	0xa4bd	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.711639881 CET	1.1.1.1	192.168.2.9	0xda79	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.743012905 CET	1.1.1.1	192.168.2.9	0x624b	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.753505945 CET	1.1.1.1	192.168.2.9	0xdf36	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.786721945 CET	1.1.1.1	192.168.2.9	0x2d6d	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.798074961 CET	1.1.1.1	192.168.2.9	0x9f01	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:38:12.808193922 CET	1.1.1.1	192.168.2.9	0xdef4	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49747	199.59.243.227	80	7800	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:36:41.824665070 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:36:42.482978106 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:36:41 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 3f02e589-43fa-4b96-af5c-0c9a9f0e4298 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=3f02e589-43fa-4b96-af5c-0c9a9f0e4298; expires=Thu, 07 Nov 2024 14:51:42 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:36:42.483071089 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2YwMmU1ODktNDNmYS00Yjk2LWFmNWMtMGM5YTlmMGU0Mjk4IiwicGFnZV90aW1lIjoxNzMwOTkwMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49753	18.143.155.63	80	7800	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:36:42.783696890 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:36:44.257329941 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:36:43 GMT Content-Type: text/html Connection: close Set-Cookie: btst=0dc46102039784c9ef83b6d925ce2fab\|173.254.250.79\|1730990203\|1730990203\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49769	54.244.188.177	80	7800	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:36:46.022080898 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:36:46.891947031 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:36:46 GMT Content-Type: text/html Connection: close Set-Cookie: btst=135c25d6777ff468c5c19d5afb696b08\|173.254.250.79\|1730990206\|1730990206\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49782	199.59.243.227	80	7800	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:36:48.180963993 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:36:48.807310104 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:36:48 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: cd5fef8e-65a3-46bd-8a3d-a4253495392a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=cd5fef8e-65a3-46bd-8a3d-a4253495392a; expires=Thu, 07 Nov 2024 14:51:48 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:36:48.807823896 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2Q1ZmVmOGUtNjVhMy00NmJkLThhM2QtYTQyNTM0OTUzOTJhIiwicGFnZV90aW1lIjoxNzMwOTkwMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49789	18.143.155.63	80	7800	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:36:49.188824892 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:36:50.642986059 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:36:50 GMT Content-Type: text/html Connection: close Set-Cookie: btst=0ab1258f3aa3d5846c42a9435687c48b\|173.254.250.79\|1730990210\|1730990210\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49807	85.214.228.140	80	7800	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:36:52.421741009 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:36:53.326940060 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:36:53 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49980	199.59.243.227	80	6516	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:38:01.750246048 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:38:02.378360033 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:38:01 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 60a5f64b-d2b0-4d42-b595-00f3a571d6a9 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=60a5f64b-d2b0-4d42-b595-00f3a571d6a9; expires=Thu, 07 Nov 2024 14:53:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:38:02.378474951 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjBhNWY2NGItZDJiMC00ZDQyLWI1OTUtMDBmM2E1NzFkNmE5IiwicGFnZV90aW1lIjoxNzMwOTkwMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49981	18.143.155.63	80	6516	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:38:02.588852882 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:38:04.024375916 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:38:03 GMT Content-Type: text/html Connection: close Set-Cookie: btst=e74e8eb0f89a7373ca40adbd094a7c36\|173.254.250.79\|1730990283\|1730990283\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	63792	54.244.188.177	80	6516	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:38:06.349591017 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:38:07.177685976 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:38:07 GMT Content-Type: text/html Connection: close Set-Cookie: btst=645dd3b293070f69df48510abd07fbfd\|173.254.250.79\|1730990287\|1730990287\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	63793	199.59.243.227	80	6516	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:38:07.796103001 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:38:08.455400944 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:38:07 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 92653699-6655-494a-8aec-3ef870014d99 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=92653699-6655-494a-8aec-3ef870014d99; expires=Thu, 07 Nov 2024 14:53:08 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:38:08.455430031 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTI2NTM2OTktNjY1NS00OTRhLThhZWMtM2VmODcwMDE0ZDk5IiwicGFnZV90aW1lIjoxNzMwOTkwMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	63794	18.143.155.63	80	6516	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:38:08.644896030 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:38:10.079900980 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:38:09 GMT Content-Type: text/html Connection: close Set-Cookie: btst=c2daeabf4a764f1c751a415490e50c2a\|173.254.250.79\|1730990289\|1730990289\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	63795	85.214.228.140	80	6516	C:\iduicjypf\evwoxfz.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:38:11.779052019 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:38:12.644689083 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:38:12 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Target ID:	0
Start time:	09:36:36
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\PORgjGswYg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PORgjGswYg.exe"
Imagebase:	0xfe0000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:36:36
Start date:	07/11/2024
Path:	C:\iduicjypf\d939bcdhmynt2wokv.exe
Wow64 process (32bit):	true
Commandline:	"C:\iduicjypf\d939bcdhmynt2wokv.exe"
Imagebase:	0xac0000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:36:36
Start date:	07/11/2024
Path:	C:\iduicjypf\evwoxfz.exe
Wow64 process (32bit):	true
Commandline:	C:\iduicjypf\evwoxfz.exe
Imagebase:	0xd10000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:36:38
Start date:	07/11/2024
Path:	C:\iduicjypf\pubealmiyel.exe
Wow64 process (32bit):	true
Commandline:	nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"
Imagebase:	0xc70000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:36:39
Start date:	07/11/2024
Path:	C:\iduicjypf\evwoxfz.exe
Wow64 process (32bit):	true
Commandline:	"C:\iduicjypf\evwoxfz.exe"
Imagebase:	0xd10000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:37:56
Start date:	07/11/2024
Path:	C:\iduicjypf\evwoxfz.exe
Wow64 process (32bit):	true
Commandline:	"c:\iduicjypf\evwoxfz.exe"
Imagebase:	0xd10000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:37:57
Start date:	07/11/2024
Path:	C:\iduicjypf\pubealmiyel.exe
Wow64 process (32bit):	true
Commandline:	nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"
Imagebase:	0x7ff70f010000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:39:34
Start date:	07/11/2024
Path:	C:\iduicjypf\evwoxfz.exe
Wow64 process (32bit):	true
Commandline:	"c:\iduicjypf\evwoxfz.exe"
Imagebase:	0xd10000
File size:	242'688 bytes
MD5 hash:	E514C5D45CB8ABFD9BE33C7A7BFB3E22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.1%
Total number of Nodes:	1906
Total number of Limit Nodes:	28

Executed Functions

Function 01004E51 Relevance: 63.4, APIs: 29, Strings: 6, Instructions: 2114synchronizationsleepfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 01005988
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 010059F5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 01005A58
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 01005A92
GetTickCount.KERNEL32 ref: 01005B31

Part of subcall function 00FF6220: GetVersionExA.KERNEL32(01031250), ref: 00FF62F0
Part of subcall function 00FF6220: CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00FF640F

GetCommandLineA.KERNEL32 ref: 01005C00
Sleep.KERNEL32(000007D0), ref: 010062F8
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 010063D0
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 010063E6
CopyFileA.KERNEL32(?,00000000,00000000), ref: 01006401
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 010065FB
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 01006655
GetCommandLineA.KERNEL32 ref: 010066EE
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 01006787
MessageBoxA.USER32(00000000,00000004,-00000005,00000000), ref: 010069DB
WSAStartup.WS2_32(00000202,?), ref: 01006BD6
CloseHandle.KERNEL32 ref: 01006D98
SetFileAttributesA.KERNEL32(?,00000080), ref: 01006DBC
CopyFileA.KERNEL32(?,?,00000000), ref: 01006E23

Part of subcall function 00FF1650: Sleep.KERNELBASE(000003E8), ref: 00FF1762
Part of subcall function 00FF1650: FindFirstFileA.KERNELBASE(?,?), ref: 00FF1850

Part of subcall function 0100F040: lstrlen.KERNEL32(?,?,00FE4EA1,?), ref: 0100F091

Sleep.KERNEL32(000003E8), ref: 01006270

Part of subcall function 010074D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 01007585
Part of subcall function 010074D0: Process32First.KERNEL32(00000000,00000128), ref: 010075E1
Part of subcall function 010074D0: OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 0100768A

Strings

e, xrefs: 010057ED
C:\Users\user, xrefs: 01005982
-"[, xrefs: 010054AF, 010054C0
gcXO, xrefs: 01006818
7n2`, xrefs: 01005C78
W^V, xrefs: 01006CA6

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: File$Create$Attributes$MutexSleep$CommandCopyFirstLineModuleName$CloseCountDirectoryEnvironmentFindHandleMessageOpenProcessProcess32SnapshotStartupTickToolhelp32VariableVersionlstrlen
String ID: -"[$7n2`$C:\Users\user$W^V$gcXO$e
API String ID: 552692769-2751188716
Opcode ID: e9224d18a94e08522e8e72f16281b8e2860d61018ec8106d2378aebb48833127
Instruction ID: 1b40c7de3d4ca5159c870ac68ad8b081287a0eb0bf8f1ebda85bd5f3307e9e35
Opcode Fuzzy Hash: e9224d18a94e08522e8e72f16281b8e2860d61018ec8106d2378aebb48833127
Instruction Fuzzy Hash: 7813F0719002058BE739EF64ED96A7A37F9FB08701F20441AE9C6CB299EB7F9540CB51

Function 00FF6220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(01031250), ref: 00FF62F0
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00FF640F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00FF659C
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00FF65D4
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00FF66CB
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FF67C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 00FF6AC7
CreateDirectoryA.KERNEL32(?,00000000), ref: 00FF6B2C

Part of subcall function 00FE7080: wvsprintfA.USER32(?,?,?), ref: 00FE70C7

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00FF6C69
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00FF6E03
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00FF6F38
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00FF709E

Strings

C:\Users\user, xrefs: 00FF694F, 00FF69EC
\, xrefs: 00FF6CEA
C:\iduicjypf\, xrefs: 00FF6707, 00FF6AEC, 00FF6D7B, 00FF6F4F

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionwvsprintf
String ID: C:\Users\user$C:\iduicjypf\$\
API String ID: 3229173561-3579721949
Opcode ID: 7938b44fe20f47e3fc9fae030c74d871e5842b7feff9cec3d2d84ceeb97b545d
Instruction ID: 96ac99edb8f55f9be65964dc42428108ef98ac9c9f47b2ca0fa4071bac8e53d9
Opcode Fuzzy Hash: 7938b44fe20f47e3fc9fae030c74d871e5842b7feff9cec3d2d84ceeb97b545d
Instruction Fuzzy Hash: CC723771900209CBD734EF64FD82ABA37B4FB18301F20802AE985DB659EB7F9944DB55

Function 00FF1650 Relevance: 7.7, APIs: 5, Instructions: 180
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 00FF1762
FindFirstFileA.KERNELBASE(?,?), ref: 00FF1850
DeleteFileA.KERNELBASE(?), ref: 00FF1901
FindNextFileA.KERNELBASE(00000000,?), ref: 00FF1924
FindClose.KERNEL32(00000000), ref: 00FF193D

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 3f08bdf98b09ed005e0b5f178996a6b186fd7e98af8cd2009a43c454afa352cb
Instruction ID: 8898f73139ec0cc7d2fb545fa3c6ec2bc5ee0a5f8039cc0bc5ea87ed1dc030f0
Opcode Fuzzy Hash: 3f08bdf98b09ed005e0b5f178996a6b186fd7e98af8cd2009a43c454afa352cb
Instruction Fuzzy Hash: A871EE32900258DBC774DFA8EC86AA637F8FB14711B244166E984C7259EB3F9940CB84

Function 01008700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 010087C2
CheckTokenMembership.KERNELBASE(00000000,?,00000000), ref: 01008815
FreeSid.ADVAPI32(?), ref: 01008874

Strings

V=, xrefs: 01008854

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: V=
API String ID: 3429775523-117639121
Opcode ID: 82707268326cc8eebd31f5fb4249df35d670716bf3638b66e1a769981097976f
Instruction ID: ff6cdc8b3fec014e07673c4f4c2064c9229aba2c5a1308a23ad59de565718312
Opcode Fuzzy Hash: 82707268326cc8eebd31f5fb4249df35d670716bf3638b66e1a769981097976f
Instruction Fuzzy Hash: B941CB75901204DBE7B5CFA8FA85A6977F4F718302F60805AE4C5D7288E73ED680CB11

Function 00FE6C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00FF9FF6,?,00FF9FF6,00000000), ref: 00FE6CA6
RtlFreeHeap.NTDLL(00000000,?,00FF9FF6,00000000), ref: 00FE6CAD

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: ffe94b946770097c467a4731077ad5d2d0e429c6a4a715841a01d4d0e2632aba
Instruction ID: 87830a3af91f2e2810f02e50857a44ce4d8911ec232d27539f73331a6a5b86d3
Opcode Fuzzy Hash: ffe94b946770097c467a4731077ad5d2d0e429c6a4a715841a01d4d0e2632aba
Instruction Fuzzy Hash: C9D0C731014308DFE7B0ABA8F84DA15376CF745705F504009F689CA059D67E55518B95

Function 00FEC09C Relevance: 2.8, Strings: 2, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

aiDB, xrefs: 00FEC4F5, 00FEC501
ESC, xrefs: 00FEC33B

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: aiDB$ESC
API String ID: 0-2526326009
Opcode ID: 697965486c22bfb96816fa8063ccae5f331e8b95f9d378e31b1336743a6cd512
Instruction ID: f912287f5bc3f50f203913e4d2a55189b9eb5d3deaed20cc4a41c185cb850a49
Opcode Fuzzy Hash: 697965486c22bfb96816fa8063ccae5f331e8b95f9d378e31b1336743a6cd512
Instruction Fuzzy Hash: ECD1877A611281CBD338CF69EAA153537F1F758315360452AE8C6CB29DEB3F9882DB44

Function 00FEC0C0 Relevance: 2.8, Strings: 2, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

aiDB, xrefs: 00FEC4F5, 00FEC501
ESC, xrefs: 00FEC33B

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: aiDB$ESC
API String ID: 0-2526326009
Opcode ID: 14e16ee0660a52274f46602fdeb1a24f9b5373d48495ed7bc8e1ca7bff02dd0a
Instruction ID: 6a159cd66ce15db24454ac279f3d4efb65136c6a231d6a2b85f28137514c72c7
Opcode Fuzzy Hash: 14e16ee0660a52274f46602fdeb1a24f9b5373d48495ed7bc8e1ca7bff02dd0a
Instruction Fuzzy Hash: 09C1857A611281CBD338CF69FAA152537F1F758315360812AE8C6CB29CEB3F9885DB44

Function 00FF1CD0 Relevance: 10.7, APIs: 7, Instructions: 230
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF1D52
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00FF1D86
CloseHandle.KERNELBASE(00000000), ref: 00FF1D97
GetTickCount.KERNEL32 ref: 00FF1E02
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00FF1FDE
WriteFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 00FF2015
CloseHandle.KERNEL32(00000000), ref: 00FF2026

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 6672aff7efcf98257beb79c216405fb9517d92d260cbc9f9a6db55d2db82021a
Instruction ID: b361b83cf4e07e7ea1052565a7d1d052f81e68c6c44b7f4078f613fd40216244
Opcode Fuzzy Hash: 6672aff7efcf98257beb79c216405fb9517d92d260cbc9f9a6db55d2db82021a
Instruction Fuzzy Hash: 7791CE72510244EBD338DF68FD86B7A37A8FB08714F20401AF985D62A8E77F9A00DB55

Function 0100AEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 0100B03C
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 0100B1B3
CloseHandle.KERNEL32(00000000,?,?,?,00000001), ref: 0100B2C0

Strings

>fx, xrefs: 0100B1DA

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: >fx
API String ID: 1065093856-1758723267
Opcode ID: d6ddbfec30a001863c83463021dc12e27b2e19f9b1c122e13ca7db91ea9acbb9
Instruction ID: afaf89defa9cc3c1089a3138692bfa97c12ad767b8314d0c7c826c1442cf0cac
Opcode Fuzzy Hash: d6ddbfec30a001863c83463021dc12e27b2e19f9b1c122e13ca7db91ea9acbb9
Instruction Fuzzy Hash: 0EB1CF7A600205CBEB35CF68E99267A37F4F718701F60441AE9C6CB299EB3F9841CB44

Function 00FF9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00FF9906
CloseHandle.KERNEL32(?), ref: 00FF9920
CloseHandle.KERNEL32(?), ref: 00FF994F

Strings

D, xrefs: 00FF98AE

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 5922513bb082730cb59eeb69b2c1c4ca48bbbd79538720b0b85d5eec39dd89d3
Instruction ID: ee35d94def3c854508da016d867fd53f9d11640e4b67a8eee9e9edf09a3c26b7
Opcode Fuzzy Hash: 5922513bb082730cb59eeb69b2c1c4ca48bbbd79538720b0b85d5eec39dd89d3
Instruction Fuzzy Hash: 13418275640209DBD734CFA4E995BB937F8FB08700F20441AEAD2DA299E7BF9904DB44

Function 0100B0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 0100B1B3
CloseHandle.KERNEL32(00000000,?,?,?,00000001), ref: 0100B2C0

Strings

>fx, xrefs: 0100B1DA

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: >fx
API String ID: 1769507746-1758723267
Opcode ID: 3a91c16988786853997c08d5d8090a2c2a5bb7c6ab370d528fbee61e1fbcd71e
Instruction ID: e8c130b4844c5802130ed995ff4724062a4eca87b72fe17c6b3f509e5cfabbd1
Opcode Fuzzy Hash: 3a91c16988786853997c08d5d8090a2c2a5bb7c6ab370d528fbee61e1fbcd71e
Instruction Fuzzy Hash: CF51BD7AA00105DBEB35DF68EA916AA73F8F718305F60045AE9C5CA289DB3F9941CB40

Function 00FF72E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00FF7323

Strings

wJ, xrefs: 00FF72FD

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: ExitProcess
String ID: wJ
API String ID: 621844428-3037638297
Opcode ID: 5751e2afd8b38dde822057f5da1df2706191361c6be745d5df14bf62e3d188a8
Instruction ID: ba0fc0134906d0033288737fe168a6c7182afb4a0935bc7c4ce20946d5a12986
Opcode Fuzzy Hash: 5751e2afd8b38dde822057f5da1df2706191361c6be745d5df14bf62e3d188a8
Instruction Fuzzy Hash: 89E012341212548FC7319FB4E886569BBB9FB24341790D126DC86C7129F7BF9801EF42

Function 00FE7300 Relevance: 3.1, APIs: 2, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00FE7397
CharLowerBuffA.USER32(?,00000000), ref: 00FE73BE

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 58ceb66e711936c87e58a05e7115a61934fdf6ed24b90d1c8db7fbbe14e670d7
Instruction ID: 5b9c8f22830030d7a849466ceb9a80049bf7a5e00b2e2ee51f578f628bef6783
Opcode Fuzzy Hash: 58ceb66e711936c87e58a05e7115a61934fdf6ed24b90d1c8db7fbbe14e670d7
Instruction Fuzzy Hash: 8621867A614250CF9B35CFA9F89187833F5FB48709324801AEC8A8B649DB3FA841DB41

Function 00FEF320 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00FE9A8B,?,0100B3E9), ref: 00FEF341
RtlAllocateHeap.NTDLL(00000000,?,00FE9A8B,?,0100B3E9), ref: 00FEF348

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: d3d5234186e4b60abcc4ca4f58cc5ddc19e0f62d439131a459c1128ee213d96c
Instruction ID: 4785d2796139fffd0338b6223e9335ab9369b10f899409edf071b4c82c67b82a
Opcode Fuzzy Hash: d3d5234186e4b60abcc4ca4f58cc5ddc19e0f62d439131a459c1128ee213d96c
Instruction Fuzzy Hash: 8DD0C9B4405308EBCB619FA4F94AA153FA9F704750F04915AF5D88666CC77F9240CF94

Non-executed Functions

Function 00FE82D0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 373pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE8407

Strings

D, xrefs: 00FE858F

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CreatePipe
String ID: D
API String ID: 2719314638-2746444292
Opcode ID: ab158bb2d4ebc50fb19f406d8aa4fba07ebc43f8987ffc1b495bfb3314df2571
Instruction ID: 6b6132214a995ac0e8879fe7ab7c5bc491f264984003ff374d324fdf26cd6e94
Opcode Fuzzy Hash: ab158bb2d4ebc50fb19f406d8aa4fba07ebc43f8987ffc1b495bfb3314df2571
Instruction Fuzzy Hash: 74F1A135A10244DFCB38DFA4E986AA977F8FB08710F20441AE886DB258DB7F9941DB14

Function 01009610 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1103COMMON

Download Yara Rule

Strings

OqJ, xrefs: 0100A31B
/, xrefs: 01009846
^B|W, xrefs: 01009665

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: /$OqJ$^B|W
API String ID: 0-3638892137
Opcode ID: d2d4f649cf3757c062dd136ee8e5c6cdc3d5d120988d958fa13d897ff254c57d
Instruction ID: 3019c835fcbbb59fe3644e02c42e0dec8e09dc152d6a61e9afe84392227a9386
Opcode Fuzzy Hash: d2d4f649cf3757c062dd136ee8e5c6cdc3d5d120988d958fa13d897ff254c57d
Instruction Fuzzy Hash: B7A20135A10205CBE739DF68F8926BA77F4FB44304F20451AE9C6DB299EB3E9944CB50

Function 00FF8D30 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 607memorylibraryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00FF8F40
LoadLibraryA.KERNEL32(00000000), ref: 00FF8FA3

Strings

,ojB, xrefs: 00FF94C0

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ,ojB
API String ID: 3872204244-2414600214
Opcode ID: 93255e4d9d128c2bb75faa951559899937161edd0dcc605f9450b3b257b7e419
Instruction ID: c4124ff0f443b3eaae8caaf98bff2963bfade2e17a972447778e75efdeda62ee
Opcode Fuzzy Hash: 93255e4d9d128c2bb75faa951559899937161edd0dcc605f9450b3b257b7e419
Instruction Fuzzy Hash: 5042FF76A10205DFD734DF68F99267937F4FB18310B20411AE986CB2A8EB7F9841CB51

Function 010074D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 01007585
Process32First.KERNEL32(00000000,00000128), ref: 010075E1
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 0100768A
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 010076B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 010076E3
Process32Next.KERNEL32(00000000,00000128), ref: 01007760
CloseHandle.KERNEL32(00000000), ref: 010077AC

Strings

W, xrefs: 01007794

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: W
API String ID: 2696918072-4153503623
Opcode ID: 8ca40681eb052f8336bdc80e937a698cf5471fb92575ef260cd3f8cdcf6d5991
Instruction ID: 70d7b57b69511f697f7c7dda0df0b0ecc889bafedc2d17f5e3843d8704780776
Opcode Fuzzy Hash: 8ca40681eb052f8336bdc80e937a698cf5471fb92575ef260cd3f8cdcf6d5991
Instruction Fuzzy Hash: 5E81BD76A11204DFD739DF68F985AA937F8FB08315B20411AE9C6C624DEB7E9940CF44

Function 0100BB30 Relevance: 13.7, APIs: 9, Instructions: 158serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0100BB7D
CreateServiceA.ADVAPI32(00000000,01220508,01220508,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0100BBE8
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 0100BC31
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0100BC80
CloseServiceHandle.ADVAPI32(00000000), ref: 0100BC91
OpenServiceA.ADVAPI32(00000000,00000010), ref: 0100BCEF
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0100BD32
CloseServiceHandle.ADVAPI32(00000000), ref: 0100BD7B
CloseServiceHandle.ADVAPI32(00000000), ref: 0100BDB8

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 876b98de9473edf87a7994eceacec33a5b24cb6892fd55a7d8647e112e450993
Instruction ID: 0dccee71ae64cab92cbd7e5e3dac3c7d2ece13658736271ef373f6ee82e53944
Opcode Fuzzy Hash: 876b98de9473edf87a7994eceacec33a5b24cb6892fd55a7d8647e112e450993
Instruction Fuzzy Hash: 5D51DC39551210DBE37ADFA8E895B7977B0FB44705F24800AF9C18A288E77E8442CB66

Function 00FEC710 Relevance: 13.6, Strings: 9, Instructions: 2342COMMON

Download Yara Rule

Strings

l, xrefs: 00FED4A5
YA7, xrefs: 00FEEE99
X6m, xrefs: 00FEDB60
*O%, xrefs: 00FEE427
%, xrefs: 00FEE01B
"`&, xrefs: 00FEE917
0, xrefs: 00FEE61A
l, xrefs: 00FEE0C3
l, xrefs: 00FEE09F

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: lstrlen$wvsprintf
String ID: "`&$%$*O%$0$YA7$l$l$l$X6m
API String ID: 2123957224-3919630273
Opcode ID: 119dbde463d1d2473db07b0a1c3d8e5dff6a04a6b45dbd4b243444d17cb787de
Instruction ID: 9760048dd446e8cd06944289995d7cd302cea9d6a9889133c9e66f44e7c866f9
Opcode Fuzzy Hash: 119dbde463d1d2473db07b0a1c3d8e5dff6a04a6b45dbd4b243444d17cb787de
Instruction Fuzzy Hash: 1633DB75A10285CFCB38CF69F9826697BF1FB18315B20402AE8C6CB64DE73E9941DB44

Function 00FF4ED0 Relevance: 10.8, APIs: 7, Instructions: 345processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00FF4FD1
Process32First.KERNEL32(00000000,00000128), ref: 00FF50F8
CloseHandle.KERNEL32(00000000), ref: 00FF548A

Part of subcall function 0100F040: lstrlen.KERNEL32(?,?,00FE4EA1,?), ref: 0100F091

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00FF5267
Module32First.KERNEL32(00000000,00000224), ref: 00FF52E7
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00FF5406
Process32Next.KERNEL32(?,00000128), ref: 00FF545B

Part of subcall function 00FE7080: wvsprintfA.USER32(?,?,?), ref: 00FE70C7

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Nextlstrlenwvsprintf
String ID:
API String ID: 2324068143-0
Opcode ID: 3c0207405d9ab55ded0bccfa14bbfe3b5c76e9bf5f947c29ed1f25a26b0a6b81
Instruction ID: b9842035a15f127238a19442016739f9507c0a44fad75a7e47ce15a5d6d0b670
Opcode Fuzzy Hash: 3c0207405d9ab55ded0bccfa14bbfe3b5c76e9bf5f947c29ed1f25a26b0a6b81
Instruction Fuzzy Hash: 60E1C035A00214CBD738DF64F995AB937F8FB58701B20411AE9C6CA299EB7E9940DB44

Function 00FE5ED0 Relevance: 7.8, APIs: 5, Instructions: 284serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00FE5FA2
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00FE5FEC
GetLastError.KERNEL32 ref: 00FE600B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00FE60BF
CloseServiceHandle.ADVAPI32(00000000), ref: 00FE62BA

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: be4cbd4e59c7eb9957ca36a730258923b6c856f369fe7edd8668eb831f79cd75
Instruction ID: 93551849774cff442b0621c2c49b7084b2f422caf0ff3457864f55bd02f447a6
Opcode Fuzzy Hash: be4cbd4e59c7eb9957ca36a730258923b6c856f369fe7edd8668eb831f79cd75
Instruction Fuzzy Hash: D5C13272900205CFD738DF65E985A7A7BB4F754350B20412AE986DB248E77FA940DF41

Function 00FF5E60 Relevance: 6.2, APIs: 4, Instructions: 167processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF5F1A
Process32First.KERNEL32(00000000,00000128), ref: 00FF5F73
Process32Next.KERNEL32(00000000,00000128), ref: 00FF6095
CloseHandle.KERNEL32(00000000), ref: 00FF6123

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ecf4dc048915da6e81afde43e4b3bc2cc89e17c41234df5a49eed30e784e329e
Instruction ID: cc1c6b23c17b2c7ad10f25e36292a781ccbf6d523191efcc2a941d184d079786
Opcode Fuzzy Hash: ecf4dc048915da6e81afde43e4b3bc2cc89e17c41234df5a49eed30e784e329e
Instruction Fuzzy Hash: 5C710E76901208CBC734DF64F9866BA37F8FB08715F20402AEA85C625CEB7F9985DB10

Function 00FF3CB0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 470fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000), ref: 00FF43F4

Strings

FH8, xrefs: 00FF3D5B
, xrefs: 00FF436E

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: DeleteFile
String ID: $FH8
API String ID: 4033686569-606782576
Opcode ID: 1e06d277abe68154b3f68473185a2c98cad3f56113702b2600cf608cf0b99063
Instruction ID: 937a5e8717c692bd064cc056721a9a990617bb89ef0fddf0cb7e576c266ce66d
Opcode Fuzzy Hash: 1e06d277abe68154b3f68473185a2c98cad3f56113702b2600cf608cf0b99063
Instruction Fuzzy Hash: 81022831A002098BD734EF68FD82ABA37B4FB54310F64401AE986DB299DB7F9940DF51

Function 00FFEDA0 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 609sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF00A0: GetSystemTimeAsFileTime.KERNEL32(?,?,?), ref: 00FF00DF
Part of subcall function 00FF00A0: __aulldiv.LIBCMT ref: 00FF0109

Sleep.KERNEL32(000008AE), ref: 00FFF7C9

Strings

@, xrefs: 00FFF71F
Wy, xrefs: 00FFF88E

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Time$FileSleepSystem__aulldiv
String ID: @$Wy
API String ID: 3392738291-774195479
Opcode ID: a8b887e6a2d5f43d8504b9d5ed42839b68a35793c4ea9f002bc42833a4981d6e
Instruction ID: c0122002ae1ccf5bd20a6b3fa8508c97f592e6ef0697590ea9529b04057ae688
Opcode Fuzzy Hash: a8b887e6a2d5f43d8504b9d5ed42839b68a35793c4ea9f002bc42833a4981d6e
Instruction Fuzzy Hash: 7D42F276910209CFD734DFA4E992AB977F4FF18310B24402AE982D7269EB3E9944DF41

Function 0100E500 Relevance: 4.4, Strings: 3, Instructions: 618COMMON

Download Yara Rule

Strings

4}, xrefs: 0100EC05
A0S, xrefs: 0100EAF7
hSw5, xrefs: 0100ED28

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: A0S$4}$hSw5
API String ID: 0-1196680536
Opcode ID: c4f1859e6b6ceac7c040ce42c9945fdebb3423fb12dcc9a26a8faf171cad465e
Instruction ID: 30e7532617313cacef6be44753bdd9280c6122f04589683769ba4686f30bfb33
Opcode Fuzzy Hash: c4f1859e6b6ceac7c040ce42c9945fdebb3423fb12dcc9a26a8faf171cad465e
Instruction Fuzzy Hash: 2A422075900255CFEB36CF68E9926BA3BF5FB14300F20481AE9C5DB289E73E8941CB55

Function 0100CF70 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 639COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 0100D0D4

Strings

m6 , xrefs: 0100D8A5

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: ComputerName
String ID: m6
API String ID: 3545744682-1930140140
Opcode ID: 0c15e44315798d1f2496fdb71fe02677ced7f0cae4fc4788edf6fecb7781872d
Instruction ID: 83dde45891c42b2a00b78f68f5e4a3fbad5de026611e079f191b1fb9a8f24123
Opcode Fuzzy Hash: 0c15e44315798d1f2496fdb71fe02677ced7f0cae4fc4788edf6fecb7781872d
Instruction Fuzzy Hash: 9B52E475510209CFD739EFA4ED92ABA73B4FB14300F60441AE582D7199EB7EAA84CF50

Function 01009809 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

/, xrefs: 01009846

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a57852166a07f1ddd73e9bf9f1e1c32ec5f1f6739027b9fc08efaf7295cae6be
Instruction ID: c59298c5879f8a660209c395d4c33414e0f06d1c8fd917315dca8048ede4eaf5
Opcode Fuzzy Hash: a57852166a07f1ddd73e9bf9f1e1c32ec5f1f6739027b9fc08efaf7295cae6be
Instruction Fuzzy Hash: 6702F6319102088BE739DF64EC92ABE77B4FB54305F10415AE9C6D7299EB3E9A40CF50

Function 010006D0 Relevance: 3.6, APIs: 2, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c41e74238c7051686a1679a71ca1300f142c461c691effd61aa7174b99defea
Instruction ID: f8add652a7b295c111d3d11d3fece43e998f9c6459dc37d6b7a05417ee76594e
Opcode Fuzzy Hash: 4c41e74238c7051686a1679a71ca1300f142c461c691effd61aa7174b99defea
Instruction Fuzzy Hash: C742EF75A00205DBE739DFA8E992ABA37F4FB04340F20441AE9C6C769DE77E9940CB54

Function 0100DFB0 Relevance: 3.2, APIs: 2, Instructions: 224libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000), ref: 0100E107
GetProcAddress.KERNEL32(00000000), ref: 0100E187

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 132939367cc0f4e39724167d706986978e3fafc994564ac24b89969c5ad58f23
Instruction ID: b409fa4c53fb72a3439316819bf09b26588e884f62ffb94031d71e17ca3c3cce
Opcode Fuzzy Hash: 132939367cc0f4e39724167d706986978e3fafc994564ac24b89969c5ad58f23
Instruction Fuzzy Hash: 58A1FE75611241CBE379CF68F946AA937F4F708300B24852AE9D6DA2DDEB7F9840CB50

Function 00FF00A0 Relevance: 3.1, APIs: 2, Instructions: 87timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?), ref: 00FF00DF
__aulldiv.LIBCMT ref: 00FF0109

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID:
API String ID: 2838486344-0
Opcode ID: 4b93ef7525f00934483d41bd6e5452aa3cb571a973bc669960b1b8a70a4dc335
Instruction ID: 0695b015866ef7de2ab6219cb3dcafa19d2d4ca806ce8f836eb2bbc4fc590850
Opcode Fuzzy Hash: 4b93ef7525f00934483d41bd6e5452aa3cb571a973bc669960b1b8a70a4dc335
Instruction Fuzzy Hash: 02310F35A102089BDB38CFA8F99157973F4FB40320325821AE8C2DB658EF7EE841CB41

Function 00FF0530 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

\3ka, xrefs: 00FF0971
SBYc, xrefs: 00FF0858

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: lstrlen
String ID: SBYc$\3ka
API String ID: 1659193697-3511221416
Opcode ID: 96c5fc1c47145c57709adabe7eaf2a5ab2f3cec404d2f567061b589e8dbed09f
Instruction ID: 456eef9cbee21dc56351fb2069f1edcc02c0f039a7cb168c41c0486f495a9eef
Opcode Fuzzy Hash: 96c5fc1c47145c57709adabe7eaf2a5ab2f3cec404d2f567061b589e8dbed09f
Instruction Fuzzy Hash: D7F1D97AA10255CBC738DF28E99153933F1FB48315324852BE8C6CB25AEB3ED840DB45

Function 00FFB7D0 Relevance: 2.2, Strings: 1, Instructions: 928COMMON

Download Yara Rule

Strings

, xrefs: 00FFC42E

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6da8bb10b0f3e7f0968934b23b4ca7c44f2683855e983bb843581e54a33c10af
Instruction ID: 951d73018f6bbebde95503b9eaec8c423c0920d441f2c32e4836849d20e6b6de
Opcode Fuzzy Hash: 6da8bb10b0f3e7f0968934b23b4ca7c44f2683855e983bb843581e54a33c10af
Instruction Fuzzy Hash: C982F372D00219CBCB34CFA8E9819BE77F8FF18711B24411AE981DB258E73E9945DB94

Function 00FFC089 Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

, xrefs: 00FFC42E

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9e86e88c340c0d4868212371bf8c29f8c7cbc303b613528a0b3a6acaa467ca12
Instruction ID: 3d85906670851f6318c1c37a6cd1d0b3ca05311358a9a872dd2e5084cbabed36
Opcode Fuzzy Hash: 9e86e88c340c0d4868212371bf8c29f8c7cbc303b613528a0b3a6acaa467ca12
Instruction Fuzzy Hash: 74E1E472D00219CBCB34DFA4EA819BD77F8FF18714B24411AE985DB218E73EA945DB90

Function 00FE4809 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

_JO, xrefs: 00FE4C8D

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: _JO
API String ID: 0-2197586830
Opcode ID: 5c485abaeb4c2825a3541cbc83787b834160c31f657d47700e4ad9586159bc9a
Instruction ID: 47648b0e74c1f2469112e945bc60b83d50c6e549df8a4067b7d90e7b5e91360a
Opcode Fuzzy Hash: 5c485abaeb4c2825a3541cbc83787b834160c31f657d47700e4ad9586159bc9a
Instruction Fuzzy Hash: 80E1DB76A10251CBC738CF69E88263977F1FB98311724851EE886CB64DE77EE981CB04

Function 0100DE80 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0100DEC5

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: e5e0eae3c31c888be6cadb26e09b5f851029da404fe6a1a3ca73160d120e64fb
Instruction ID: 2d0c960333a9480479c401fdb37461f79286366827c4135129680c19da01dbac
Opcode Fuzzy Hash: e5e0eae3c31c888be6cadb26e09b5f851029da404fe6a1a3ca73160d120e64fb
Instruction Fuzzy Hash: 5F018F79804209CFCB70EFA8E8816BA77F4FB14301F60854AE895D7658E77E8585CB80

Function 0100F590 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

~By, xrefs: 0100F99E

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: ~By
API String ID: 0-2661720115
Opcode ID: fc98fe2208f1fcc1a26cca963286849c8ff37ab9a38f082318eb4ab073a6b850
Instruction ID: 8b7ae175e9ce52bccd398fcc4fcd562539a36af08432624228ea7d8330884b9a
Opcode Fuzzy Hash: fc98fe2208f1fcc1a26cca963286849c8ff37ab9a38f082318eb4ab073a6b850
Instruction Fuzzy Hash: 58B1CB36601652CBD336CF68EA8156937F1F758705B38811AE8C9CB69DE73F9882CB44

Function 0100C9D0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

cxD, xrefs: 0100CA52

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: cxD
API String ID: 0-2521125608
Opcode ID: 8af8232481171e242e307f87eb3f3d49e99025b15e63841e3e4a653be8ef4488
Instruction ID: a38ed66b7621b420bf5620e29bc9ec3262afc65994923b9b7bab6e45bc824283
Opcode Fuzzy Hash: 8af8232481171e242e307f87eb3f3d49e99025b15e63841e3e4a653be8ef4488
Instruction Fuzzy Hash: 6B91F076610612CFE735CF28E58143977F5FB49711B24826AE8C6CB658E73EE880CB90

Function 00FE13D0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

[[D, xrefs: 00FE1761

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID: [[D
API String ID: 0-3714464512
Opcode ID: 7923e8bf3be98e866c1ce09d7fe2633de825a15777f0a25f205cb611e729dbf3
Instruction ID: bdf6f489390d26331c5f32e979f1ed5669f47d14cf374718a3f7f9f76e6c9fc5
Opcode Fuzzy Hash: 7923e8bf3be98e866c1ce09d7fe2633de825a15777f0a25f205cb611e729dbf3
Instruction Fuzzy Hash: 2DA1D93A601281CFC738CF6AE98217977F5FB49304328851AE8C6CB209E73F9885DB45

Function 00FFD310 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d063dd20934ff208845aac29cd36c4a33493d526993796421794e96f430e0c70
Instruction ID: 76cd0191fb83b766023b41c07c7a892d93d4cd01b2ce8f28f4c69296f970e874
Opcode Fuzzy Hash: d063dd20934ff208845aac29cd36c4a33493d526993796421794e96f430e0c70
Instruction Fuzzy Hash: 0D62E271D00209DBCB34DF68ED81ABA77B9FB54314F24402AE981DB269E77EDA40DB50

Function 010079E0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d3c0b01e1d4c26b7650c8695c2867b5086b4c204ac3ea4e1ce05756c80c060
Instruction ID: b5cdb739e8db819aab44d06c8c8d8c95fb9df64003951d791047b80b19102ca4
Opcode Fuzzy Hash: 60d3c0b01e1d4c26b7650c8695c2867b5086b4c204ac3ea4e1ce05756c80c060
Instruction Fuzzy Hash: E0E13875600205CBD735DF68E89297A37F5FB48310B20842EE9C6CB299E73ED941CB55

Function 010080E0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11ff61afd7835d80e96eaf6d4b78d3a37d9bd1edb242d0400ab3c257a708447
Instruction ID: 838fe03c0d1292bbb203b8746920f6be5664602c98ba13b3c3187e272b2f6047
Opcode Fuzzy Hash: f11ff61afd7835d80e96eaf6d4b78d3a37d9bd1edb242d0400ab3c257a708447
Instruction Fuzzy Hash: 1BE11271A10215CFDB79CF68E99157977F1FB58301B20812BE8C6DB288E73E9981CB44

Function 00FF3700 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 269a03e7185737b57871e1fae84b4c2ab29396dfa69c950caa3c455b6ea9383c
Instruction ID: 423039ad0b1931ddc329a675a27b27397aafbf104ff46d68059f9710a6f390a5
Opcode Fuzzy Hash: 269a03e7185737b57871e1fae84b4c2ab29396dfa69c950caa3c455b6ea9383c
Instruction Fuzzy Hash: 8FE1C531900208DBD738EF64ED92AFE77B8FF14300F20001AE582975A9EB7E6A44DB51

Function 00FF5810 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcef94dd01c941224e75c87345db916c66c24de7d1e95f9e52ddab56761da97
Instruction ID: 5aed3529f5bc9921d50c7990c6e9105c906f9e113345604c51c7ee6a86824e16
Opcode Fuzzy Hash: cdcef94dd01c941224e75c87345db916c66c24de7d1e95f9e52ddab56761da97
Instruction Fuzzy Hash: 67D1B976910645CBC338CF68E88252977F1F759325324812AE9C6C6A6CE7BF9841CF00

Function 00FFFB50 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e895465f85925e0d7fda50a2d390119fa825f15a6cbb3fe6357a3b7114b84a
Instruction ID: 6875f43bb9678773fcac93170bd54548ddf915066853feed748cb51877b50970
Opcode Fuzzy Hash: 19e895465f85925e0d7fda50a2d390119fa825f15a6cbb3fe6357a3b7114b84a
Instruction Fuzzy Hash: DDC16272A00264CFD738CF28E59252977F5FB59301364852AE8C6CB2A8EB3F9945CB45

Function 00FFA820 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba53e6a66521f182a5fcea199ddba2fcca41c59162d7b1eff67955d1b66917f7
Instruction ID: 0e090c98a32f0aaa470f707dca0d66ba0245dce6db0110273c21aaffae928d63
Opcode Fuzzy Hash: ba53e6a66521f182a5fcea199ddba2fcca41c59162d7b1eff67955d1b66917f7
Instruction Fuzzy Hash: E4B10A76610284CFD338CF68E981569BBF0FB58300764812AE8C9CB69DE77ED940CB56

Function 00FF81F0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596200550ef680abca1a605ab7e97084f07b724352829ef3996d7a962e8861b6
Instruction ID: 2957814eabd76c0354390d9a4104f200b0abe1089387e733e0bea38c297bf395
Opcode Fuzzy Hash: 596200550ef680abca1a605ab7e97084f07b724352829ef3996d7a962e8861b6
Instruction Fuzzy Hash: DBA10E72A00645CBD338DF68F992A3A33F4FB18751760441AE8C2CB259EB7ED941DB50

Function 01008338 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b290bde7eb51efc484e25495135135230ad9cc1410cea327508ded648fd22bfc
Instruction ID: e728e83e17f337a96a9aa5b2d1e6d20397091f69b78e1eb2778c5e0a9a096549
Opcode Fuzzy Hash: b290bde7eb51efc484e25495135135230ad9cc1410cea327508ded648fd22bfc
Instruction Fuzzy Hash: 5C91D171E102158BDB79CF68E991579B3F0FB58311B24812BE986DB388EB3E9941CB44

Function 00FF7AC1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 162registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_00028A40), ref: 00FF7BB6
SetServiceStatus.ADVAPI32(01031504), ref: 00FF7C2D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FF7C5F
SetServiceStatus.ADVAPI32(01031504), ref: 00FF7CB4
WaitForSingleObject.KERNEL32(00001388), ref: 00FF7CE8
SetServiceStatus.ADVAPI32(01031504), ref: 00FF7D76
CloseHandle.KERNEL32 ref: 00FF7D94
SetServiceStatus.ADVAPI32(01031504), ref: 00FF7E26

Strings

W@_, xrefs: 00FF7D37
R\, xrefs: 00FF7E40

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: R\$W@_
API String ID: 3399922960-625819527
Opcode ID: e784099cba1810bd56c0f5842d6ee062bae1a959d6ac27fec866636302f4dc75
Instruction ID: da1ed3c7a60712bd2a314cf9dcd8fbb2fa684b3644fd4692c4c4b6aa562ace7f
Opcode Fuzzy Hash: e784099cba1810bd56c0f5842d6ee062bae1a959d6ac27fec866636302f4dc75
Instruction Fuzzy Hash: 898136B5A10241CBD734DFA4E999A203BF5F75C302B24452AE8C28A69CD7BF9541DF40

Function 0100B460 Relevance: 9.1, APIs: 6, Instructions: 138filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0100B4CB
GetFileTime.KERNEL32(00000000,?,?,?), ref: 0100B52B
CloseHandle.KERNEL32(00000000), ref: 0100B561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100B5E0
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0100B619
CloseHandle.KERNEL32(00000000), ref: 0100B62D

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: b051ace24ace7775b9323c94b9dd8ab727ee08439c02aabd63ff319662c035a3
Instruction ID: 015c1dcc7fe2724a913120de3cc6acb87a840e459eb395257f385d1cd19af382
Opcode Fuzzy Hash: b051ace24ace7775b9323c94b9dd8ab727ee08439c02aabd63ff319662c035a3
Instruction Fuzzy Hash: B551E035510208DBC735DF68F881ABA77F4FB08311F20425BF985DA698EB3E9980DB95

Function 00FE8C10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE8CCD
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00FE8D4D
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00FE8E97
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00FE8F2E

Strings

"ie, xrefs: 00FE8C37

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: "ie
API String ID: 2564258376-2574374593
Opcode ID: 16b00a88a23da48d210f634d01eab76bc14400d98abaf909b00e27edd5f6f16a
Instruction ID: 34423262a8af8ad32a63be54f2c2d16cfba0aaf2fdb81cb9f854c52491424688
Opcode Fuzzy Hash: 16b00a88a23da48d210f634d01eab76bc14400d98abaf909b00e27edd5f6f16a
Instruction Fuzzy Hash: 3A81E035A10214CBD734EF68EC9567933B4FB48751F20402AF989C7299EB3F9981DB44

Function 00FEF9C0 Relevance: 7.6, APIs: 5, Instructions: 91synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00FEFA3C
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00FEFA66
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00FEFA95
WaitForSingleObject.KERNEL32(7BB70CEF,000000FF,?,00000000,00000000), ref: 00FEFAD6
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00FEFB15

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 3b5333bbabcc75a19af9027b2a0a883c3494e4056ce025026c3b3ffcbc53cdb9
Instruction ID: dd25ed5018b4ca383de703b8f81d8290ba1d71ead16845a9b0aae50e5ea87cd2
Opcode Fuzzy Hash: 3b5333bbabcc75a19af9027b2a0a883c3494e4056ce025026c3b3ffcbc53cdb9
Instruction Fuzzy Hash: D3417C36600244CFD334DF68E985B653BF8F708715B24802AE8CACB698DB7EA840CB04

Function 01008A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(01031504), ref: 01008ABA
SetEvent.KERNEL32 ref: 01008AD9
SetServiceStatus.ADVAPI32(01031504), ref: 01008B95

Strings

^iJ, xrefs: 01008B5D

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: ServiceStatus$Event
String ID: ^iJ
API String ID: 3225596143-2484620576
Opcode ID: 1efdf559c5b2c44fcb06b368f2d5cbdcfc50c5f3509e8c17d0504a5275d2ef6e
Instruction ID: be151f662564f10976eb9c731f36cd0b907a783e4dedfe2f5f88de058bb94bd7
Opcode Fuzzy Hash: 1efdf559c5b2c44fcb06b368f2d5cbdcfc50c5f3509e8c17d0504a5275d2ef6e
Instruction Fuzzy Hash: EC31A7B5A00B11CAD775EFA0F59686637B8F349745B20940BE4C2CB6A8EB7F8481CF05

Function 00FEF6A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,0100B3AD), ref: 00FEF6E2
GetStdHandle.KERNEL32(000000F5,?,0100B3AD), ref: 00FEF726
GetStdHandle.KERNEL32(000000F4,?,0100B3AD), ref: 00FEF793

Strings

)He, xrefs: 00FEF795

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Handle
String ID: )He
API String ID: 2519475695-3578743732
Opcode ID: ffbabeba5419d568308e4d1044f4cc93a03c9889ac48a2b9f3c69f5a544b519d
Instruction ID: a1feeaa9328125c0eed45f53a2e2a568abb5991a4b4d405d7c97e675da7c7e85
Opcode Fuzzy Hash: ffbabeba5419d568308e4d1044f4cc93a03c9889ac48a2b9f3c69f5a544b519d
Instruction Fuzzy Hash: 9821A9729546908BD738CF69FA9162537F4FB0C306720421BE492C76A9E7BF8481CB04

Function 00FF25A0 Relevance: 6.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00FFA040,00000000,?), ref: 00FF25F8
RtlReAllocateHeap.NTDLL(00000000,?,00FFA040,00000000), ref: 00FF25FF
GetProcessHeap.KERNEL32(00000000,?,?,00FFA040,00000000,?), ref: 00FF261B
HeapAlloc.KERNEL32(00000000,?,00FFA040,00000000,?), ref: 00FF2622

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 4e020071377ba717d1e9e3151e9ac8c8ad1cc7efa21553bcc9a954f4c0c4b827
Instruction ID: 8dd306e78702bc587016629d3f02a3ae5c1dfa5b760afd8037f6a9e0b461a07f
Opcode Fuzzy Hash: 4e020071377ba717d1e9e3151e9ac8c8ad1cc7efa21553bcc9a954f4c0c4b827
Instruction Fuzzy Hash: 09016D36A50219DBD7748FB5E548A7937F8F748715B14800AF988C6558D77EC8418B12

Function 00FFA110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,00000001,00000000,00000001,00000000,?,00FE87C6,?,00000001), ref: 00FFA240
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00FE87C6,?), ref: 00FFA2FA

Strings

Z_%., xrefs: 00FFA261

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: FileRead
String ID: Z_%.
API String ID: 2738559852-3593569407
Opcode ID: d94aeaab0f5ef0837c0d076975d6f31024ddaddfade3d637bda30355d8fb58f6
Instruction ID: 3e0a79b6e31932fbaa37c6d45411f4ad8ca3804fd6f7405dfb8b99a8ba9dac8c
Opcode Fuzzy Hash: d94aeaab0f5ef0837c0d076975d6f31024ddaddfade3d637bda30355d8fb58f6
Instruction Fuzzy Hash: F951CC71600209CBC734CF68E98467A37F9FB48711B65401AE989CB658EB3FD980DF41

Function 00FFEB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00FFEB9A
GetLastError.KERNEL32 ref: 00FFEBC9

Strings

+{(, xrefs: 00FFEBF0

Memory Dump Source

Source File: 00000000.00000002.1401753176.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.1401733804.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401778867.0000000001010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001015000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.000000000102F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401794340.0000000001031000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1401965698.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_PORgjGswYg.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: +{(
API String ID: 1917127615-1986729412
Opcode ID: d6c7b46016725c35c328953cd89ff6184c1c394fea70dedc1e6f7e6fcce3e52d
Instruction ID: b4ee56b6a19690d8baad312863589e9b872538e68b3cc02bd047280d2aae0e2d
Opcode Fuzzy Hash: d6c7b46016725c35c328953cd89ff6184c1c394fea70dedc1e6f7e6fcce3e52d
Instruction Fuzzy Hash: E3219D352106008FC738DF68E9D653937FAF758715720802AE88AC722CE73E9981CB51

Analysis Process: d939bcdhmynt2wokv.exePID: 7784, Parent PID: 7728COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	1869
Total number of Limit Nodes:	51

Executed Functions

Function 00AE4E51 Relevance: 65.1, APIs: 29, Strings: 7, Instructions: 2115synchronizationsleepfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00AE5988
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00AE59F5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00AE5A58
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00AE5A92
GetTickCount.KERNEL32 ref: 00AE5B31

Part of subcall function 00AD6220: GetVersionExA.KERNEL32(00B11250), ref: 00AD62F0
Part of subcall function 00AD6220: CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00AD640F

GetCommandLineA.KERNEL32 ref: 00AE5C00
Sleep.KERNEL32(000007D0), ref: 00AE62F8
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00AE63D0
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00AE63E6
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00AE6401
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 00AE65FB
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00AE6655
GetCommandLineA.KERNEL32 ref: 00AE66EE
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00AE6787
MessageBoxA.USER32(00000000,00000004,-00000005,00000000), ref: 00AE69DB
WSAStartup.WS2_32(00000202,?), ref: 00AE6BD6
CloseHandle.KERNEL32 ref: 00AE6D98
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00AE6DBC
CopyFileA.KERNEL32(?,?,00000000), ref: 00AE6E23

Part of subcall function 00AD1650: Sleep.KERNEL32(000003E8), ref: 00AD1762
Part of subcall function 00AD1650: FindFirstFileA.KERNEL32(?,?), ref: 00AD1850

Part of subcall function 00AEF040: lstrlen.KERNEL32(?,?,00AC4EA1,?), ref: 00AEF091

Sleep.KERNEL32(000003E8), ref: 00AE6270

Part of subcall function 00AE74D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00AE7585
Part of subcall function 00AE74D0: Process32First.KERNEL32(00000000,00000128), ref: 00AE75E1
Part of subcall function 00AE74D0: OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00AE768A

Strings

-"[, xrefs: 00AE54AF, 00AE54C0
C:\iduicjypf\pubealmiyel.exe, xrefs: 00AE6B75, 00AE6B8F, 00AE7075, 00AE7092, 00AE70AA, 00AE7270
gcXO, xrefs: 00AE6818
e, xrefs: 00AE57ED
7n2`, xrefs: 00AE5C78
W^V, xrefs: 00AE6CA6
C:\Users\user, xrefs: 00AE5982

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: File$Create$Attributes$MutexSleep$CommandCopyFirstLineModuleName$CloseCountDirectoryEnvironmentFindHandleMessageOpenProcessProcess32SnapshotStartupTickToolhelp32VariableVersionlstrlen
String ID: -"[$7n2`$C:\Users\user$C:\iduicjypf\pubealmiyel.exe$W^V$gcXO$e
API String ID: 552692769-3796238231
Opcode ID: bb1bf31b2c80ceeb5ad6f141660736593ab1495e7311b2b880813467e058c0a5
Instruction ID: fb7b511308b14aa3fac4869acf79516ca61d3f407693a93bb15512701443e1c7
Opcode Fuzzy Hash: bb1bf31b2c80ceeb5ad6f141660736593ab1495e7311b2b880813467e058c0a5
Instruction Fuzzy Hash: 95131271A102419FD718EFE9FD86A7A37B4FB24741F40492AE502CB2B1EF749881CB55

Function 00AD6220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00B11250), ref: 00AD62F0
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00AD640F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00AD659C
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00AD65D4
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AD66CB
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AD67C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AD6AC7
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AD6B2C

Part of subcall function 00AC7080: wvsprintfA.USER32(?,?,?), ref: 00AC70C7

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00AD6C69
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00AD6E03
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00AD6F38
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00AD709E

Strings

C:\iduicjypf\, xrefs: 00AD6707, 00AD6AEC, 00AD6D7B, 00AD6F4F
\, xrefs: 00AD6CEA
C:\Users\user, xrefs: 00AD694F, 00AD69EC

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionwvsprintf
String ID: C:\Users\user$C:\iduicjypf\$\
API String ID: 3229173561-3579721949
Opcode ID: 32e2dc14959babee8b64bb77ff7513da8e40404c736f3535c54ca37e87648e61
Instruction ID: 0b88622b32a42b07aeabe384a4f2dc8eb851ebe1bffad8c2fa28f701478737cd
Opcode Fuzzy Hash: 32e2dc14959babee8b64bb77ff7513da8e40404c736f3535c54ca37e87648e61
Instruction Fuzzy Hash: B27205719102098BC718EFE4FD86ABA37B4FB24701F40852AE506DB271EF749986CF55

Function 00AD8D30 Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 607
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00AD8F40
LoadLibraryA.KERNELBASE(00000000), ref: 00AD8FA3

Strings

,ojB, xrefs: 00AD94C0

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ,ojB
API String ID: 3872204244-2414600214
Opcode ID: 22dc14da6a925a208d4f3c378b25aef6ecc5aa3d5931c87bdccc6c0e6665ced0
Instruction ID: 7016d1494caea6ea422f4dab442a8a6c528abadaf819638ac5aedc3b63466cbe
Opcode Fuzzy Hash: 22dc14da6a925a208d4f3c378b25aef6ecc5aa3d5931c87bdccc6c0e6665ced0
Instruction Fuzzy Hash: BE42CD756102059FD708DFE8ED92A7A7BF4FB28301B00452AE906DB2B1EF35D942CB55

Function 00AEBB30 Relevance: 13.7, APIs: 9, Instructions: 158
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00AEBB7D
CreateServiceA.ADVAPI32(00000000,0112FC20,0112FC20,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AEBBE8
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00AEBC31
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AEBC80
CloseServiceHandle.ADVAPI32(00000000), ref: 00AEBC91
OpenServiceA.ADVAPI32(00000000,00000010), ref: 00AEBCEF
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AEBD32
CloseServiceHandle.ADVAPI32(00000000), ref: 00AEBD7B
CloseServiceHandle.ADVAPI32(00000000), ref: 00AEBDB8

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: b35dd3d44f0cac54ba72ea310f393da192aa713b300f2b609da33fc69c7ca7d0
Instruction ID: 10874385053cad3b08e8f373c573d8bb4b2f4c52f09fab520e62c03e01c90615
Opcode Fuzzy Hash: b35dd3d44f0cac54ba72ea310f393da192aa713b300f2b609da33fc69c7ca7d0
Instruction Fuzzy Hash: AE51DF35920640DBC315CFE5FC9AB7A37B0FB24701B14801AEA01C76B0EF748842CBA5

Function 00AEDFB0 Relevance: 4.7, APIs: 3, Instructions: 224
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000), ref: 00AEE107
GetProcAddress.KERNEL32(00000000), ref: 00AEE187
CryptGenRandom.ADVAPI32(00000004,?), ref: 00AEE29F

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID:
API String ID: 646182245-0
Opcode ID: 5e71a60d8b9ebabc9346dc4f5deadc0bfa5be1e4f2132382a43b3069a6dbee9a
Instruction ID: 9c26d1959d3cf696d2a4e8d8e499020bb1d4a8176ff20801a826fc075bde3d9b
Opcode Fuzzy Hash: 5e71a60d8b9ebabc9346dc4f5deadc0bfa5be1e4f2132382a43b3069a6dbee9a
Instruction Fuzzy Hash: FFA10075510281CFD714DFA9FD46ABA37F4FB24741B40862AE616CB2B1EF348881CB55

Function 00AECF70 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 639
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00AED0D4

Strings

m6 , xrefs: 00AED8A5

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: ComputerName
String ID: m6
API String ID: 3545744682-1930140140
Opcode ID: 7fdbd41d268ffe50eeb238037ad8e7d81df996836bb7abafd8ae8743f38edc55
Instruction ID: 98a23cafcf4f844046abbf0bba174dd2df455a03f5cfadf2fda6078f2d86f839
Opcode Fuzzy Hash: 7fdbd41d268ffe50eeb238037ad8e7d81df996836bb7abafd8ae8743f38edc55
Instruction Fuzzy Hash: 6852B071910245CFD718EFA4EE92ABE77B4FB24300F50482AE502D72B1EF74AA85CB55

Function 00AC8C10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AC8CCD
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00AC8D4D
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00AC8E97
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AC8F2E

Strings

"ie, xrefs: 00AC8C37

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: "ie
API String ID: 2564258376-2574374593
Opcode ID: 2e014e9eae1995aa22a39518998f434464fe85aea9462bf21fbc459ac2001145
Instruction ID: e0d87e1c3227e8398ada3718d6cfdfe44759098479a0beb15207634808485eca
Opcode Fuzzy Hash: 2e014e9eae1995aa22a39518998f434464fe85aea9462bf21fbc459ac2001145
Instruction Fuzzy Hash: 6581EF75610210DBDB14DFA8ED86B7A37B5FB64701F10452AE906C72B1EF38D982CB89

Function 00AEAEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 00AEB03C
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 00AEB1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 00AEB2C0

Strings

>fx, xrefs: 00AEB1DA

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: >fx
API String ID: 1065093856-1758723267
Opcode ID: 74a62abb2fed82e2e471a7cefa9da32d592868f1015fdb74f562680ef2f47824
Instruction ID: 6301a3abdbf631a1c07b4db25d9907f6c9eeff1a5160cae30dce6a10a18ba9bb
Opcode Fuzzy Hash: 74a62abb2fed82e2e471a7cefa9da32d592868f1015fdb74f562680ef2f47824
Instruction Fuzzy Hash: 83B1FA76620200CFDB08CFE9EE9667A77F4FB24701B00452AE916CB2B0EF349952CB55

Function 00AE8700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AE87C2
CheckTokenMembership.KERNELBASE(00000000,?,00000000), ref: 00AE8815
FreeSid.ADVAPI32(?), ref: 00AE8874

Strings

V=, xrefs: 00AE8854

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: V=
API String ID: 3429775523-117639121
Opcode ID: 1091587ac4ddc9c0e779100717621e2e906db2cc076a11202893f068431a1c7c
Instruction ID: db16916b4f13a8b7bbd238a82622e8b800c4e219f6716be942e538ba090bfb98
Opcode Fuzzy Hash: 1091587ac4ddc9c0e779100717621e2e906db2cc076a11202893f068431a1c7c
Instruction Fuzzy Hash: 1641C9B4910244DFD704CFEAEE85AB977F4F728312F50855AEA05D72A0EF34A981CB11

Function 00AD9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00AD9906
CloseHandle.KERNEL32(?), ref: 00AD9920
CloseHandle.KERNEL32(?), ref: 00AD994F

Strings

D, xrefs: 00AD98AE

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 3ddbe0d97fbfa67c35ccf766d17205e872440ce3bb4855dddac68f336045c839
Instruction ID: 26eb157e006d822a1b9f673ec1102a2861525cfc8c58ed43dfef13511e5c79c0
Opcode Fuzzy Hash: 3ddbe0d97fbfa67c35ccf766d17205e872440ce3bb4855dddac68f336045c839
Instruction Fuzzy Hash: 55415C74550204DFD714CFE4ED96BBA7BB8F728700F10441AE612DB2B0EB75A945CB45

Function 00AEB0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 00AEB1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 00AEB2C0

Strings

>fx, xrefs: 00AEB1DA

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: >fx
API String ID: 1769507746-1758723267
Opcode ID: 4e6038066ffed92adf0793eb38fcec95717686e293a2d042a3f7949cbfa8ba93
Instruction ID: 886269cfd201c9de1f90ab2b5dd8b28b651c0613ceb1b46156000f732754044c
Opcode Fuzzy Hash: 4e6038066ffed92adf0793eb38fcec95717686e293a2d042a3f7949cbfa8ba93
Instruction Fuzzy Hash: C851CF76920144DBCB14DFE9EE99ABA73F4FB24341B50052AEA01DB6B0EF349942CF54

Function 00AD72E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00AD7323

Strings

wJ, xrefs: 00AD72FD

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: ExitProcess
String ID: wJ
API String ID: 621844428-3037638297
Opcode ID: 7f10600129b6a9b4887b36c1d74fa911b5a7c6c547e41a16e208f22539b0d0ba
Instruction ID: 7ec00ad0fee5b38bf810bc3944f007e8fd16eca90850820c14ca8049cdfcb986
Opcode Fuzzy Hash: 7f10600129b6a9b4887b36c1d74fa911b5a7c6c547e41a16e208f22539b0d0ba
Instruction Fuzzy Hash: 4EE0EC341682458FD704DFE5ED82A68BB75F760341380A426EC06CB232FF719802EF56

Function 00AC7300 Relevance: 3.1, APIs: 2, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00AC7397
CharLowerBuffA.USER32(?,00000000), ref: 00AC73BE

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: d4cc5811c8c5d4a0606e6f32254a76d2ed8e82f4e73e0fd1619105fbcb97b978
Instruction ID: bd673abe19381e83f641a08a9ed6002565cf5060ae4abb3e1c545b460f57da49
Opcode Fuzzy Hash: d4cc5811c8c5d4a0606e6f32254a76d2ed8e82f4e73e0fd1619105fbcb97b978
Instruction Fuzzy Hash: BD219D766145008FEB05CFE4FC9597933B5FB68716304801AE80ACB670DF75A882DF91

Function 00AC6C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00AD9FF6,?,00AD9FF6,00000000), ref: 00AC6CA6
RtlFreeHeap.NTDLL(00000000,?,00AD9FF6,00000000), ref: 00AC6CAD

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: cfc16e86ea0fd0be7f0efb5db12b9f53f584a66bb43b17f0868433a0f16e9a91
Instruction ID: e35adaf3e1fbc47fa70161fc12f26f2380adb83751f2ff1ba663b08c9cc260a5
Opcode Fuzzy Hash: cfc16e86ea0fd0be7f0efb5db12b9f53f584a66bb43b17f0868433a0f16e9a91
Instruction Fuzzy Hash: C9D09231855708AFE780EBF8FC0DA253B68EB44645F50400AE709CA021EA609962CBA5

Function 00ACF320 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00AC9A8B,?,00AEB3E9), ref: 00ACF341
RtlAllocateHeap.NTDLL(00000000,?,00AC9A8B,?,00AEB3E9), ref: 00ACF348

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: ad03cedbf852bdd51acdab7fbcaead0c04c07363b7eab7648a388f23f8e03b1e
Instruction ID: 9e63a0a7ce594e5a5fed7e7c83d5d85a458dfa2abe6621ba8c838c19b0c8c30f
Opcode Fuzzy Hash: ad03cedbf852bdd51acdab7fbcaead0c04c07363b7eab7648a388f23f8e03b1e
Instruction Fuzzy Hash: 0DD092B0405304ABCB40DFE4FD0AF263FA8A704A54F025159E5988A675CB769102CEA4

Function 00ADB470 Relevance: 1.6, APIs: 1, Instructions: 124fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00ADB57A

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48a9b3efbc44c7445d178065aea1a4269d67dbabd71b3df8370bb6f3b9cda806
Instruction ID: 2b656ca5a4691cee064ccad69cf2e4bf402e28f0a207b1d85749ed356a2dac03
Opcode Fuzzy Hash: 48a9b3efbc44c7445d178065aea1a4269d67dbabd71b3df8370bb6f3b9cda806
Instruction Fuzzy Hash: 0851BB71520244DAD728DFA8ED86BBA33B4F724751F00851BE902CB2B1EF749982CB91

Non-executed Functions

Function 00AC82D0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 373pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AC8407

Strings

D, xrefs: 00AC858F

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CreatePipe
String ID: D
API String ID: 2719314638-2746444292
Opcode ID: 87daa743c9ba586091613590470983c829fdd57dafbdb0bbd17b7fc8ddb20377
Instruction ID: 2ff9d93877ca2fd1aa1cd151ca17afffee8c4d9d69d6b7804c97522be97abd8c
Opcode Fuzzy Hash: 87daa743c9ba586091613590470983c829fdd57dafbdb0bbd17b7fc8ddb20377
Instruction Fuzzy Hash: 72F1BF75910204DFDB08DFE8ED86AB97BF9FB24701B10451AE902DB670EF74AA42CB54

Function 00AD4ED0 Relevance: 10.8, APIs: 7, Instructions: 345processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00AD4FD1
Process32First.KERNEL32(00000000,00000128), ref: 00AD50F8
CloseHandle.KERNEL32(00000000), ref: 00AD548A

Part of subcall function 00AEF040: lstrlen.KERNEL32(?,?,00AC4EA1,?), ref: 00AEF091

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00AD5267
Module32First.KERNEL32(00000000,00000224), ref: 00AD52E7
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00AD5406
Process32Next.KERNEL32(?,00000128), ref: 00AD545B

Part of subcall function 00AC7080: wvsprintfA.USER32(?,?,?), ref: 00AC70C7

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Nextlstrlenwvsprintf
String ID:
API String ID: 2324068143-0
Opcode ID: 70983a414a6bc0fbff9f041f7da7ebbee220160b66a22e060f3b2afcff023a53
Instruction ID: f289a84be243ef1fe4c790e4f341e789239c11ff68049ee1bde49b63d5260ca7
Opcode Fuzzy Hash: 70983a414a6bc0fbff9f041f7da7ebbee220160b66a22e060f3b2afcff023a53
Instruction Fuzzy Hash: CAE1F135A10200CBD718DFA8ED96ABA37F4FB68701B00452AE806CB7B1EF749981CB54

Function 00AC5ED0 Relevance: 7.8, APIs: 5, Instructions: 284serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00AC5FA2
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00AC5FEC
GetLastError.KERNEL32 ref: 00AC600B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00AC60BF
CloseServiceHandle.ADVAPI32(00000000), ref: 00AC62BA

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 0269063511b867cc8adaa7479f57121f0b60a650c3f068a486bf68d8873b136b
Instruction ID: eaeedc4e468acf22e45c129c717deb485021885e6eea1fc657278ed41e9316d6
Opcode Fuzzy Hash: 0269063511b867cc8adaa7479f57121f0b60a650c3f068a486bf68d8873b136b
Instruction Fuzzy Hash: 59C12172910201DFD718DFA8ED96A7A7BB4F724300B01452EE906DB271EF34AA42CF95

Function 00AD1650 Relevance: 7.7, APIs: 5, Instructions: 180filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00AD1762
FindFirstFileA.KERNEL32(?,?), ref: 00AD1850
DeleteFileA.KERNEL32(?), ref: 00AD1901
FindNextFileA.KERNEL32(00000000,?), ref: 00AD1924
FindClose.KERNEL32(00000000), ref: 00AD193D

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: f7be24efa2bdffb3de2a1a6d76070806d244fd8d0884780081b1c91a366055cd
Instruction ID: 0be64b4718d8e4f6f18b4e69fefdc7b21ab1ef75bb361c7b37dad73c767a69bf
Opcode Fuzzy Hash: f7be24efa2bdffb3de2a1a6d76070806d244fd8d0884780081b1c91a366055cd
Instruction Fuzzy Hash: 2B71DE729102549FC754DFE8FD86ABA37B8FB24301F00856AE505D72B1EF349A82CB94

Function 00AD5E60 Relevance: 6.2, APIs: 4, Instructions: 167processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD5F1A
Process32First.KERNEL32(00000000,00000128), ref: 00AD5F73
Process32Next.KERNEL32(00000000,00000128), ref: 00AD6095
CloseHandle.KERNEL32(00000000), ref: 00AD6123

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0023e5960e4a44a38e9ec491c6c4dbe39173ffde80cce3984f5c48170b8659d8
Instruction ID: 1f01a022dbea20c8dcdd9d55935f730d66d000920b5c332e288320a167dba9dd
Opcode Fuzzy Hash: 0023e5960e4a44a38e9ec491c6c4dbe39173ffde80cce3984f5c48170b8659d8
Instruction Fuzzy Hash: 8471BBB6911214CBC714DFA8FD866BA37B8F728311B50852BE906D7261EF34D986CF11

Function 00AD3CB0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 470fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000), ref: 00AD43F4

Strings

FH8, xrefs: 00AD3D5B
, xrefs: 00AD436E

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: DeleteFile
String ID: $FH8
API String ID: 4033686569-606782576
Opcode ID: b1bda8ca290b472f8c1fb1e018c0b33f28b24be8c81d1be984e8851c2a84d708
Instruction ID: b25d0f79800923125068286293e24fd11aeca470d2eaa6aa1bac25911aed8301
Opcode Fuzzy Hash: b1bda8ca290b472f8c1fb1e018c0b33f28b24be8c81d1be984e8851c2a84d708
Instruction Fuzzy Hash: A7022472A102048FD714EFA8FD86ABA37B5F724311F04452AE506DB3A1EF759942CF91

Function 00AD7AC1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 162registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_00028A40), ref: 00AD7BB6
SetServiceStatus.ADVAPI32(00B11504), ref: 00AD7C2D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AD7C5F
SetServiceStatus.ADVAPI32(00B11504), ref: 00AD7CB4
WaitForSingleObject.KERNEL32(00001388), ref: 00AD7CE8
SetServiceStatus.ADVAPI32(00B11504), ref: 00AD7D76
CloseHandle.KERNEL32 ref: 00AD7D94
SetServiceStatus.ADVAPI32(00B11504), ref: 00AD7E26

Strings

W@_, xrefs: 00AD7D37
R\, xrefs: 00AD7E40

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: R\$W@_
API String ID: 3399922960-625819527
Opcode ID: e3c9b986fd290bfb01b95c9bdc32d3a4038619460c58965bd7f45c2ebbb411d8
Instruction ID: 4f139be7d17216c531763d096c6209e9ee73e31f85b931c2150fd7f1bcc564ac
Opcode Fuzzy Hash: e3c9b986fd290bfb01b95c9bdc32d3a4038619460c58965bd7f45c2ebbb411d8
Instruction Fuzzy Hash: D68137B9A10201CFD718DFA9FE95AA43BF1F764341B80891AE512CB6B0EF759542CF44

Function 00AE74D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00AE7585
Process32First.KERNEL32(00000000,00000128), ref: 00AE75E1
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00AE768A
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00AE76B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00AE76E3
Process32Next.KERNEL32(00000000,00000128), ref: 00AE7760
CloseHandle.KERNEL32(00000000), ref: 00AE77AC

Strings

W, xrefs: 00AE7794

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: W
API String ID: 2696918072-4153503623
Opcode ID: 572ddb0d40f672d7872bb0a8404a179633f95d6cc61c738d36e7f031f05eeab1
Instruction ID: 546a225110aca1b3f3995d400ef3a888508650216bf7a610355dbbbd938765c5
Opcode Fuzzy Hash: 572ddb0d40f672d7872bb0a8404a179633f95d6cc61c738d36e7f031f05eeab1
Instruction Fuzzy Hash: 3D817775611200DBC718DFA8FD85ABA77F8FB28745B00852AE946C7271EF349942CB54

Function 00AD1CD0 Relevance: 10.7, APIs: 7, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AD1D52
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00AD1D86
CloseHandle.KERNEL32(00000000), ref: 00AD1D97
GetTickCount.KERNEL32 ref: 00AD1E02
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AD1FDE
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00AD2015
CloseHandle.KERNEL32(00000000), ref: 00AD2026

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: bfeb5a295167bb3b5b2e5ae319a6ac719523eeeb84bfbf05c7deacc080e28e55
Instruction ID: c07eb43dfacd4d98952980164fbf7bf6607c28a1b224e82eb1c4b591e3f0b4ee
Opcode Fuzzy Hash: bfeb5a295167bb3b5b2e5ae319a6ac719523eeeb84bfbf05c7deacc080e28e55
Instruction Fuzzy Hash: 1791BF72510200AFD318EFA8FD86B7A37B4F724711F10451AF906DB2B1EB759A42CB95

Function 00AEB460 Relevance: 9.1, APIs: 6, Instructions: 138filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00AEB4CB
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00AEB52B
CloseHandle.KERNEL32(00000000), ref: 00AEB561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AEB5E0
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00AEB619
CloseHandle.KERNEL32(00000000), ref: 00AEB62D

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: e254470b499a65c7308d63f7bdb20468f9f7dfa05c03c7f1aad29c1024fc5568
Instruction ID: fcab3d9a5f63fee37e0b3b52f1643ea4733f3710dc0c0903471be843c2fb9282
Opcode Fuzzy Hash: e254470b499a65c7308d63f7bdb20468f9f7dfa05c03c7f1aad29c1024fc5568
Instruction Fuzzy Hash: 2F51DF31510205DBC710DFA9FC85ABA77B4FB24311F10861BE915DB6B0EF349981DBA5

Function 00ACF9C0 Relevance: 7.6, APIs: 5, Instructions: 91synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00ACFA3C
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00ACFA66
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00ACFA95
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000), ref: 00ACFAD6
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00ACFB15

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 3ffcc7ba99404bb5294b88570d942af06d090d7b19d1ff992ad19e8ced7185b7
Instruction ID: 1b928ee2b656d6d701974919360a4e7549f0b5026360f5937384a742a78e265c
Opcode Fuzzy Hash: 3ffcc7ba99404bb5294b88570d942af06d090d7b19d1ff992ad19e8ced7185b7
Instruction Fuzzy Hash: 6C416B712102049FD314DFE8ED96B6A7BF5EB28351B00852AE94ACB3B0DF70A841CF44

Function 00AE8A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00B11504), ref: 00AE8ABA
SetEvent.KERNEL32 ref: 00AE8AD9
SetServiceStatus.ADVAPI32(00B11504), ref: 00AE8B95

Strings

^iJ, xrefs: 00AE8B5D

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: ServiceStatus$Event
String ID: ^iJ
API String ID: 3225596143-2484620576
Opcode ID: ee180dfbb29c0c2e625a4cfc37adc9ab72c4eeec659cd0e9c8315bd8428d800e
Instruction ID: 6ea48b0a2217de4c35ba99c5cde9abbac7cee26af4c1784f1b805eeaeb61c325
Opcode Fuzzy Hash: ee180dfbb29c0c2e625a4cfc37adc9ab72c4eeec659cd0e9c8315bd8428d800e
Instruction Fuzzy Hash: 2931ECB5914341CEC714DFA5FD969BA7BB8F724740350881AE506CB270EF3A8992CF15

Function 00ACF6A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00AEB3AD), ref: 00ACF6E2
GetStdHandle.KERNEL32(000000F5,?,00AEB3AD), ref: 00ACF726
GetStdHandle.KERNEL32(000000F4,?,00AEB3AD), ref: 00ACF793

Strings

)He, xrefs: 00ACF795

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Handle
String ID: )He
API String ID: 2519475695-3578743732
Opcode ID: 3676e432d481da594f66718accb96a9661e90047c176a09def8de9e1436b5a5d
Instruction ID: 705d5929734c47461005bfedded89c09809bee471878cb1846d01154085579e6
Opcode Fuzzy Hash: 3676e432d481da594f66718accb96a9661e90047c176a09def8de9e1436b5a5d
Instruction Fuzzy Hash: 54219D718652518FC718CFA9FD91A753BB5FB29755700861BE422C76B0EFB48482CF09

Function 00AD25A0 Relevance: 6.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00ADA040,00000000,?), ref: 00AD25F8
RtlReAllocateHeap.NTDLL(00000000,?,00ADA040,00000000), ref: 00AD25FF
GetProcessHeap.KERNEL32(00000000,?,?,00ADA040,00000000,?), ref: 00AD261B
HeapAlloc.KERNEL32(00000000,?,00ADA040,00000000,?), ref: 00AD2622

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: afea270b8a816359eddbed8d888d1097b9a415078d075f45ec26806b5a6fdc47
Instruction ID: 290763555d7dfaa713fccadd18670e10add70fdd7332ba3fe2c3de926ef3a263
Opcode Fuzzy Hash: afea270b8a816359eddbed8d888d1097b9a415078d075f45ec26806b5a6fdc47
Instruction Fuzzy Hash: AB016976550205EBD714CFF9EE48A7A37B8E7A8701B40841AFA19CB521EB35C802CB26

Function 00ADA110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,00000001,00000000,00000001,00000000,?,00AC87C6,?,00000001), ref: 00ADA240
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00AC87C6,?), ref: 00ADA2FA

Strings

Z_%., xrefs: 00ADA261

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: FileRead
String ID: Z_%.
API String ID: 2738559852-3593569407
Opcode ID: 7ce3184e6e9ec289351694facb13ec1e1cd4e0441efda4ca8941b27499732d36
Instruction ID: aad596a5e05aa23ef396f6c100aad582f0939e19052ce49c26aa2d026c55e5c9
Opcode Fuzzy Hash: 7ce3184e6e9ec289351694facb13ec1e1cd4e0441efda4ca8941b27499732d36
Instruction Fuzzy Hash: C651ED35210200CBC714CFE8ED84ABE37F9F768711B45022AE906CB6A0EB34DD82CB56

Function 00ADEB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00ADEB9A
GetLastError.KERNEL32 ref: 00ADEBC9

Strings

+{(, xrefs: 00ADEBF0

Memory Dump Source

Source File: 00000002.00000002.1381018148.0000000000AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.1381001054.0000000000AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381046132.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000AF5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B0E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381064818.0000000000B11000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1381138953.0000000000B12000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_d939bcdhmynt2wokv.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: +{(
API String ID: 1917127615-1986729412
Opcode ID: c1f5cebb8b4d87de6a4a602e8ffc24a413ddddc112d69febac48d49c66c67ad9
Instruction ID: 770d104785b7106e976181bcf196deba62af3cb550f4e8cf0f05741d848f3c7d
Opcode Fuzzy Hash: c1f5cebb8b4d87de6a4a602e8ffc24a413ddddc112d69febac48d49c66c67ad9
Instruction Fuzzy Hash: 7F218B352206008FC718EFA8FDD69793BF6F368741310412AE816CB670EF709982CB96

Analysis Process: evwoxfz.exePID: 7800, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1919
Total number of Limit Nodes:	39

Executed Functions

Function 00D34E51 Relevance: 66.9, APIs: 29, Strings: 8, Instructions: 2114synchronizationsleepfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00D35988
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D359F5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D35A58
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00D35A92
GetTickCount.KERNEL32 ref: 00D35B31

Part of subcall function 00D26220: GetVersionExA.KERNEL32(00D61250), ref: 00D262F0
Part of subcall function 00D26220: CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00D2640F

GetCommandLineA.KERNEL32 ref: 00D35C00
Sleep.KERNEL32(000007D0), ref: 00D362F8
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00D363D0
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00D363E6
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00D36401
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 00D365FB
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00D36655
GetCommandLineA.KERNEL32 ref: 00D366EE
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00D36787
MessageBoxA.USER32(00000000,00000004,-00000005,00000000), ref: 00D369DB
WSAStartup.WS2_32(00000202,?), ref: 00D36BD6
CloseHandle.KERNEL32 ref: 00D36D98
SetFileAttributesA.KERNEL32(?,00000080), ref: 00D36DBC
CopyFileA.KERNEL32(?,?,00000000), ref: 00D36E23

Part of subcall function 00D21650: Sleep.KERNELBASE(000003E8), ref: 00D21762
Part of subcall function 00D21650: FindFirstFileA.KERNELBASE(?,?), ref: 00D21850

Part of subcall function 00D3F040: lstrlen.KERNEL32(?,?,00D2173B,?,00000104,?), ref: 00D3F091

Sleep.KERNEL32(000003E8), ref: 00D36270

Part of subcall function 00D374D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00D37585
Part of subcall function 00D374D0: Process32First.KERNEL32(00000000,00000128), ref: 00D375E1
Part of subcall function 00D374D0: OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00D3768A

Strings

W^V, xrefs: 00D36CA6
e, xrefs: 00D357ED
-"[, xrefs: 00D354AF, 00D354C0
7n2`, xrefs: 00D35C78
C:\iduicjypf\pubealmiyel.exe, xrefs: 00D36B75, 00D36B8F, 00D37075, 00D37092, 00D370AA, 00D37270
nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe", xrefs: 00D3721E, 00D37264
gcXO, xrefs: 00D36818
C:\Windows\system32\config\systemprofile, xrefs: 00D35982

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$Create$Attributes$MutexSleep$CommandCopyFirstLineModuleName$CloseCountDirectoryEnvironmentFindHandleMessageOpenProcessProcess32SnapshotStartupTickToolhelp32VariableVersionlstrlen
String ID: -"[$7n2`$C:\Windows\system32\config\systemprofile$C:\iduicjypf\pubealmiyel.exe$W^V$gcXO$nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"$e
API String ID: 552692769-1579459100
Opcode ID: c58c3cd0cf6d981b374c522c12a2f3f9c27951b80e8a6f9642c394e11b422d61
Instruction ID: fb0294ff64aebbc34782c68390bbecf726551d5e87d3ab606318c6deee92d76b
Opcode Fuzzy Hash: c58c3cd0cf6d981b374c522c12a2f3f9c27951b80e8a6f9642c394e11b422d61
Instruction Fuzzy Hash: 7E13F1799003009BD718DF68FC96A7A37B4FB19746F04452AE906DA3B1EBB09980CF75

Function 00D26220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00D61250), ref: 00D262F0
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00D2640F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00D2659C
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00D265D4
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D266CB
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D267C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D26AC7
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D26B2C

Part of subcall function 00D17080: wvsprintfA.USER32(00000000,?,00D39ED1), ref: 00D170C7

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00D26C69
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00D26E03
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00D26F38
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00D2709E

Strings

C:\iduicjypf\, xrefs: 00D26707, 00D26AEC, 00D26D7B, 00D26F4F
\, xrefs: 00D26CEA
C:\Windows\system32\config\systemprofile, xrefs: 00D2694F, 00D269EC

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionwvsprintf
String ID: C:\Windows\system32\config\systemprofile$C:\iduicjypf\$\
API String ID: 3229173561-1627785957
Opcode ID: f677d0bcb9cf6783a30ea52012aa3a29b019b761aafbd9e18978e01e37899e2d
Instruction ID: 3fbc8edef577977ca94a6a0fa82deaef407e76efdcbac5430e6a2ee5ae97f66b
Opcode Fuzzy Hash: f677d0bcb9cf6783a30ea52012aa3a29b019b761aafbd9e18978e01e37899e2d
Instruction Fuzzy Hash: 5B72EF799003149BD708DF68FC82ABA77B4FB25306F04402AE906D73A1EB749985CF75

Function 00D28D30 Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 607
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00D28F40
LoadLibraryA.KERNELBASE(00000000), ref: 00D28FA3

Strings

,ojB, xrefs: 00D294C0

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ,ojB
API String ID: 3872204244-2414600214
Opcode ID: 70b33c77e724eb0fbe48c983cfba527adcb4f98d744099cd83615c6998ce11d5
Instruction ID: 3a0e185e7f24f39fc093c258e0cfad6f3f48245555d9f1af980f38a1fa56d67b
Opcode Fuzzy Hash: 70b33c77e724eb0fbe48c983cfba527adcb4f98d744099cd83615c6998ce11d5
Instruction Fuzzy Hash: E842BB796103109FD708DF68FC926697BB4FB2A316B04012AE806DB3B0EB35D941CB76

Function 00D39610 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1103COMMON

Download Yara Rule

Strings

OqJ, xrefs: 00D3A31B
/, xrefs: 00D39846
^B|W, xrefs: 00D39665

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID:
String ID: /$OqJ$^B|W
API String ID: 0-3638892137
Opcode ID: 051d603ffa8edba4d5bf87144f5df3e46f5c6d44399b2e1103746a8ef31202fc
Instruction ID: 3563a108a390dc2e4bc06037b81706b12b29f730d61744d2879c481b5066c2c1
Opcode Fuzzy Hash: 051d603ffa8edba4d5bf87144f5df3e46f5c6d44399b2e1103746a8ef31202fc
Instruction Fuzzy Hash: B1A2CD79A103108BD718DF68FCA267A77B4FB56316F04412AE806DB3B1EB749941CB72

Function 00D2EDA0 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 609
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D200A0: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,00D2EF83), ref: 00D200DF
Part of subcall function 00D200A0: __aulldiv.LIBCMT ref: 00D20109

Sleep.KERNELBASE(000008AE), ref: 00D2F7C9

Strings

C:\iduicjypf\pubealmiyel.exe, xrefs: 00D2F845
Wy, xrefs: 00D2F88E
nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe", xrefs: 00D2F840
@, xrefs: 00D2F71F

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Time$FileSleepSystem__aulldiv
String ID: @$C:\iduicjypf\pubealmiyel.exe$Wy$nsdtaiblb9qr "c:\iduicjypf\evwoxfz.exe"
API String ID: 3392738291-3044920113
Opcode ID: ebc6777c44ea6cd71e0a377bab1f39b086e44185c2a1a29934a80698e2221830
Instruction ID: fcf82c40dfe22ad865f597bc1fa86b0c360fc0dfc4af6a6a8d9b91f2ed22170d
Opcode Fuzzy Hash: ebc6777c44ea6cd71e0a377bab1f39b086e44185c2a1a29934a80698e2221830
Instruction Fuzzy Hash: 8142CC7A9113149FC714DF64FD92AAA77B4FB2A316B14442AE802D7371EB309980CF71

Function 00D21650 Relevance: 7.7, APIs: 5, Instructions: 180
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8), ref: 00D21762
FindFirstFileA.KERNELBASE(?,?), ref: 00D21850
DeleteFileA.KERNELBASE(?), ref: 00D21901
FindNextFileA.KERNELBASE(00000000,?), ref: 00D21924
FindClose.KERNEL32(00000000), ref: 00D2193D

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: d3aba34a3195e1fa70c451938491a061df305e5a7db957c04835458f774319f4
Instruction ID: 0d00f8782624f169ff65f1158a9c18e4c28ce90c22feb714c05807ea3e03397a
Opcode Fuzzy Hash: d3aba34a3195e1fa70c451938491a061df305e5a7db957c04835458f774319f4
Instruction Fuzzy Hash: 1971FD7A9003649BC744DF68FC86AAA37B8FB22316F044166E805C7371EB749980CFB4

Function 00D25E60 Relevance: 6.2, APIs: 4, Instructions: 167
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 00D25F1A
Process32First.KERNEL32(00000000,00000128), ref: 00D25F73
Process32Next.KERNEL32(00000000,00000128), ref: 00D26095
CloseHandle.KERNELBASE(00000000), ref: 00D26123

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 94729e8c1a1a537febfd05e06b1224923f086ab5b45be18c34a19eb7d984bd43
Instruction ID: d8368d8b81b9bbd30f38cf29911da4b9950925b0b131517a4187dc0d8bcdff2b
Opcode Fuzzy Hash: 94729e8c1a1a537febfd05e06b1224923f086ab5b45be18c34a19eb7d984bd43
Instruction Fuzzy Hash: C571CFBA911310CBC714DF68FD86AAA77B8FB1931AB14442AEC05C6365EB34D985CF31

Function 00D3DFB0 Relevance: 4.7, APIs: 3, Instructions: 224
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000), ref: 00D3E107
GetProcAddress.KERNEL32(00000000), ref: 00D3E187
CryptGenRandom.ADVAPI32(00000004,?,00000000,?), ref: 00D3E29F

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID:
API String ID: 646182245-0
Opcode ID: 4f39dde91dc53bb190eaf25d30b73e3490a119d5a297ebce4f903b364c1c2cf5
Instruction ID: b498682c4d7c007269b84952f6a86fb2a9e71ee4a670a001e22f404f60d20a5c
Opcode Fuzzy Hash: 4f39dde91dc53bb190eaf25d30b73e3490a119d5a297ebce4f903b364c1c2cf5
Instruction Fuzzy Hash: 62A1DB79511350CBD718DF68FC96A6A37F0FB1A352B08412AE816CA3F1EBB48940CB75

Function 00D3CF70 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 639
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00D3D0D4

Strings

m6 , xrefs: 00D3D8A5

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: ComputerName
String ID: m6
API String ID: 3545744682-1930140140
Opcode ID: bfd06a26dba121740f8fa754e945ba7f709f10f1ba3b068b0438e88e88155f80
Instruction ID: 662b03a8e2384b774d71734732ae998cbcd9770e2ce4df0d73c09260546ab1f6
Opcode Fuzzy Hash: bfd06a26dba121740f8fa754e945ba7f709f10f1ba3b068b0438e88e88155f80
Instruction Fuzzy Hash: 4052BE799103049BD718EF64FD92AAA77B4FB24302F54041AE902E73B1EB709A85CF75

Function 00D39809 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00D39846

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e9d394e7a3b96f1fa73df409d0f11df6cf7431560ac606c1a648b6682b3393dd
Instruction ID: 18e6f08a6c557d99d40300cd58adab093c9b0b03932824598b8af823d921ae45
Opcode Fuzzy Hash: e9d394e7a3b96f1fa73df409d0f11df6cf7431560ac606c1a648b6682b3393dd
Instruction Fuzzy Hash: C70204359103149BD718EF28FC92ABA77B4FB55302F04512AE906E73A1EB709A45CF71

Function 00D3DE80 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00D3DEC5

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: d9e0e081fbadbe4d7224ce2595b806afac1c8cde2ef68d9279db782ade45b98e
Instruction ID: 8ae20418b45b4b84f6f23626f5a584b9b6d22315e71cf6ae6a08a1164cf1a5c9
Opcode Fuzzy Hash: d9e0e081fbadbe4d7224ce2595b806afac1c8cde2ef68d9279db782ade45b98e
Instruction Fuzzy Hash: 700108799043458FCB50DFA4EC926AA77B4FB25312F14880AE816D7760E77585898BA0

Function 00D27AC1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 162
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_00028A40), ref: 00D27BB6
SetServiceStatus.SECHOST(00D61504), ref: 00D27C2D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D27C5F
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27CB4
WaitForSingleObject.KERNEL32(00001388), ref: 00D27CE8
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27D76
CloseHandle.KERNEL32 ref: 00D27D94
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27E26

Strings

R\, xrefs: 00D27E40
W@_, xrefs: 00D27D37

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: R\$W@_
API String ID: 3399922960-625819527
Opcode ID: 819de2ed46a802b8b8a0d42c065dad1e58bf7e3b9e8a7bb7680dcfeee8487476
Instruction ID: ee60cdd5e5f3472d01561295547237874845b5d89c87399a1d30ea6fb12cc8c7
Opcode Fuzzy Hash: 819de2ed46a802b8b8a0d42c065dad1e58bf7e3b9e8a7bb7680dcfeee8487476
Instruction Fuzzy Hash: 5A8131BD510301CBD704DF68FD96A217BB0F769306B08452AE802CA7B5E7B59941DF71

Function 00D3AEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000009,00000000), ref: 00D3B03C
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00D37EFD), ref: 00D3B1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00D37EFD), ref: 00D3B2C0

Strings

>fx, xrefs: 00D3B1DA

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: >fx
API String ID: 1065093856-1758723267
Opcode ID: cdace4495aca86df8242b7ad53e28883cb832e72f78e5b0f9508cb03df11be14
Instruction ID: cbf1d4dd93e26508da3ebc587c76e02e6d80c6ace52cc94ae2df18ab478c0f9e
Opcode Fuzzy Hash: cdace4495aca86df8242b7ad53e28883cb832e72f78e5b0f9508cb03df11be14
Instruction Fuzzy Hash: 60B1A77A610710DBDB04CF68FD9262A77B4FB16722F54012AE91ACA3B1EB34D850CB75

Function 00D38700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D387C2
CheckTokenMembership.KERNELBASE(00000000,?,00000000), ref: 00D38815
FreeSid.ADVAPI32(?), ref: 00D38874

Strings

V=, xrefs: 00D38854

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: V=
API String ID: 3429775523-117639121
Opcode ID: 913d8c073e39f5ce627f817488cb90c4e8975fdb814605349b00851cd22d460b
Instruction ID: a731d38cdc6b941a60d850bbd5698dea2b28ab5ea13bb3033d46fa3e5f49b380
Opcode Fuzzy Hash: 913d8c073e39f5ce627f817488cb90c4e8975fdb814605349b00851cd22d460b
Instruction Fuzzy Hash: D941AB79911300EBDB44CFA8FD86A6977F4FB1A316F54111AE805D73A1EB30A980EB71

Function 00D29830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00D2F84F,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00D29906
CloseHandle.KERNEL32(00D2F84F), ref: 00D29920
CloseHandle.KERNEL32(?), ref: 00D2994F

Strings

D, xrefs: 00D298AE

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 2469e283f586ff84f8bebe97e9520033eb2169e79159865675193be16f49aab5
Instruction ID: 282c673e804b1124fe072dba7e06f8cc79dac0734d01e9de9a04510963f82a72
Opcode Fuzzy Hash: 2469e283f586ff84f8bebe97e9520033eb2169e79159865675193be16f49aab5
Instruction Fuzzy Hash: 9341BE78540314DBD714CFA4ED92BAA7BB8F719712F00140AE912DA3B0E7B5A940CB74

Function 00D3B0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00D37EFD), ref: 00D3B1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00D37EFD), ref: 00D3B2C0

Strings

>fx, xrefs: 00D3B1DA

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: >fx
API String ID: 1769507746-1758723267
Opcode ID: 37732b387ee8a7cc95c97c7c67039753f2577e4ce181872098ff9e2ece46338c
Instruction ID: ddc8d425265966cd497d059aaac9a7b7e9b1f7dcf762cf3b548ce59dbf376715
Opcode Fuzzy Hash: 37732b387ee8a7cc95c97c7c67039753f2577e4ce181872098ff9e2ece46338c
Instruction Fuzzy Hash: F351997A500714DBCB14DF68EE9266A73F4F726322B500127EA06CA3A1EB30C941CF75

Function 00D17300 Relevance: 3.1, APIs: 2, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00D2603A,?,?,00D2603A,?,?,?), ref: 00D17397
CharLowerBuffA.USER32(00D2603A,00000000,?,00D2603A,?,?,?), ref: 00D173BE

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 87bb60abc6b1765fb33804def11cd8b918e08f86831312df411be466a489cba7
Instruction ID: cffb0ab370b140bde85b388b6f42bf01dc12324a49ee2e68164d5f5e72794bfe
Opcode Fuzzy Hash: 87bb60abc6b1765fb33804def11cd8b918e08f86831312df411be466a489cba7
Instruction Fuzzy Hash: 26219A7A2147109B9B05CF69FCA287937F5FB0A7023048016E80ACB335DB74A881DB72

Function 00D16C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000002,?,00D24D48,00D2182F,00D2182F,00000000,-00000002,?,00D2182F,00000002,00000000), ref: 00D16CA6
RtlFreeHeap.NTDLL(00000000,?,00D24D48,00D2182F,00D2182F,00000000,-00000002,?,00D2182F,00000002,00000000), ref: 00D16CAD

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4332047c14e0821bf1aade98629c0a7caaceb92cc03b72981e23f81afd2d6d11
Instruction ID: 59976d7f8a6bfacb574d495de2a82dd2de7b7050ca44a2d77a334cd9360391f1
Opcode Fuzzy Hash: 4332047c14e0821bf1aade98629c0a7caaceb92cc03b72981e23f81afd2d6d11
Instruction Fuzzy Hash: 12D0C939464308DFE7809FA8FC0DF193B68EB46745F10401AF719C6232DBB099609BB5

Function 00D1F320 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00D19A8B,?,00D3B3E9), ref: 00D1F341
RtlAllocateHeap.NTDLL(00000000,?,00D19A8B,?,00D3B3E9), ref: 00D1F348

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1a52a6b733ae8eaaa00937508b52932f32f2f643106e695961f0b3298892a864
Instruction ID: 0389c8fe1d4ccd6094693416f2d7e6439fcb5590c032970b4aecd763da50f0b9
Opcode Fuzzy Hash: 1a52a6b733ae8eaaa00937508b52932f32f2f643106e695961f0b3298892a864
Instruction Fuzzy Hash: D7D092B8405304ABCB409FA5FD4EA1A7FA8A706A90F001059E668C77B9CB7291009EB4

Function 00D18030 Relevance: 1.7, APIs: 1, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00D2F0ED,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00D2F0ED), ref: 00D181AB

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8d7c3501b65ea7283a81057b4aad8624744684c4955e741b6114c164e0335b7e
Instruction ID: f9e6f5cda594340075aaf42343d301e497181b0e7b62543f8979479b7beb8959
Opcode Fuzzy Hash: 8d7c3501b65ea7283a81057b4aad8624744684c4955e741b6114c164e0335b7e
Instruction Fuzzy Hash: D251EC79A05300ABC314CF28FD8277A77E5F716756B04402AEC06DA3B0EB749981DBB1

Function 00D2B470 Relevance: 1.6, APIs: 1, Instructions: 124fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00D2B57A

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 50a527fa424ccc0e962331f0039ba6969691fc539c4fe3bec77da16275c84366
Instruction ID: bd81f5fc9845a0633bd653515fce1854da5a5e8e01fef8f17f512632d8b98b1e
Opcode Fuzzy Hash: 50a527fa424ccc0e962331f0039ba6969691fc539c4fe3bec77da16275c84366
Instruction Fuzzy Hash: AA5188795013649BD728DF28FC82AB637B4F72572AF14511BE905CA3A1E7B4C940CBB1

Function 00D28900 Relevance: 1.4, APIs: 1, Instructions: 192sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8,?,?,00000000,?,00D2F0ED,?), ref: 00D28A7D

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b0ea88f3f94991a162c10404bb21748a63d0b2044a7c9c80b01acb714443f5ff
Instruction ID: d3496b5b2fad06545dd1d01e4061cdd0acd0bb1d53a40052726d6ff127b01bbf
Opcode Fuzzy Hash: b0ea88f3f94991a162c10404bb21748a63d0b2044a7c9c80b01acb714443f5ff
Instruction Fuzzy Hash: 4D81BB3A5413108BC718DF28FD92A3A37A1F76A756B14002AEC06CB7B1EB749980DF75

Non-executed Functions

Function 00D182D0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 373pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D18407

Strings

D, xrefs: 00D1858F

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CreatePipe
String ID: D
API String ID: 2719314638-2746444292
Opcode ID: 7ab3e2e2719b826eb4291982a9fb7df5c300c0620f298a9cea8fa522d0a28fd1
Instruction ID: 704fa0935d9738e498402e34210a7db9b372912f0b886010fa9db7dd09bfb5f4
Opcode Fuzzy Hash: 7ab3e2e2719b826eb4291982a9fb7df5c300c0620f298a9cea8fa522d0a28fd1
Instruction Fuzzy Hash: F0F17B79910304EFDB08DFA8FD96AA97BB5FB05702B14051AE806D6370EB709A80DF75

Function 00D3BB30 Relevance: 13.7, APIs: 9, Instructions: 158serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00D3BB7D
CreateServiceA.ADVAPI32(00000000,00F9E5D0,00F9E5D0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D3BBE8
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00D3BC31
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00D3BC80
CloseServiceHandle.ADVAPI32(00000000), ref: 00D3BC91
OpenServiceA.ADVAPI32(00000000,00000010), ref: 00D3BCEF
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00D3BD32
CloseServiceHandle.ADVAPI32(00000000), ref: 00D3BD7B
CloseServiceHandle.ADVAPI32(00000000), ref: 00D3BDB8

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 6b984109f9d1ce090ce9bd14b883a0ae6511ce24bb82e1cc5bf2ed09e7193c2c
Instruction ID: f54b37b73f97e4d164b4f9646ae115466014b33c4f060fee9d07c37d157f4e86
Opcode Fuzzy Hash: 6b984109f9d1ce090ce9bd14b883a0ae6511ce24bb82e1cc5bf2ed09e7193c2c
Instruction Fuzzy Hash: 98519979511700DBD7288F68FC9677A77B0FB0A716B04401AEE02CA7B0EB748442DB76

Function 00D24ED0 Relevance: 10.8, APIs: 7, Instructions: 345processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00D24FD1
Process32First.KERNEL32(00000000,00000128), ref: 00D250F8
CloseHandle.KERNEL32(00000000), ref: 00D2548A

Part of subcall function 00D3F040: lstrlen.KERNEL32(?,?,00D2173B,?,00000104,?), ref: 00D3F091

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00D25267
Module32First.KERNEL32(00000000,00000224), ref: 00D252E7
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00D25406
Process32Next.KERNEL32(?,00000128), ref: 00D2545B

Part of subcall function 00D17080: wvsprintfA.USER32(00000000,?,00D39ED1), ref: 00D170C7

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Nextlstrlenwvsprintf
String ID:
API String ID: 2324068143-0
Opcode ID: 57838c262ad181a1f992e75ea197d88902176d9b3037ff983ba703e33de83b23
Instruction ID: 87a2e6a963343fb293f6b3d4dc53e4937a23fd055c2f7fae033115b44922c4a2
Opcode Fuzzy Hash: 57838c262ad181a1f992e75ea197d88902176d9b3037ff983ba703e33de83b23
Instruction Fuzzy Hash: D4E1CE396107108BD748DF28FC96A7A77F4FB65356B04112AEC06CA3B1EBB49980CB75

Function 00D15ED0 Relevance: 7.8, APIs: 5, Instructions: 284serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00D15FA2
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00D15FEC
GetLastError.KERNEL32 ref: 00D1600B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00D160BF
CloseServiceHandle.ADVAPI32(00000000), ref: 00D162BA

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 2904961c4b3492fa5558172207e5a0d9e1b8b83e2c010444d760394ae7472e27
Instruction ID: 493356a722b52020ebaef095286d35ceae81a362f1a2523ac9bcc9c731474f68
Opcode Fuzzy Hash: 2904961c4b3492fa5558172207e5a0d9e1b8b83e2c010444d760394ae7472e27
Instruction Fuzzy Hash: F7C1D07A9103109BC708DF68FD96AB97BB4FB05302B04412AED06DB365EB74A981CF75

Function 00D23CB0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 470fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000), ref: 00D243F4

Strings

, xrefs: 00D2436E
FH8, xrefs: 00D23D5B

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: DeleteFile
String ID: $FH8
API String ID: 4033686569-606782576
Opcode ID: 129e286cc9d649ab46c0e27cc97f80f0098ee8494297c0ed867b4479c39018ca
Instruction ID: 3db538f261064179c8405d71262295c11e37edf6c8e5c5de58e18744c1f30f82
Opcode Fuzzy Hash: 129e286cc9d649ab46c0e27cc97f80f0098ee8494297c0ed867b4479c39018ca
Instruction Fuzzy Hash: 2F021339A103109BD714DF68FC92AAA37B4FB55316F54002AED06DB3A1EB759940CFB1

Function 00D374D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00D37585
Process32First.KERNEL32(00000000,00000128), ref: 00D375E1
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00D3768A
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00D376B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00D376E3
Process32Next.KERNEL32(00000000,00000128), ref: 00D37760
CloseHandle.KERNEL32(00000000), ref: 00D377AC

Strings

W, xrefs: 00D37794

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: W
API String ID: 2696918072-4153503623
Opcode ID: ce4ca677c84e9b2df976a495133cbb410eb39f29171722dd079df02169cc99ca
Instruction ID: a9806563387062c69141c2438b794a5463ba15c7cd7964268fb8beb1534bfe84
Opcode Fuzzy Hash: ce4ca677c84e9b2df976a495133cbb410eb39f29171722dd079df02169cc99ca
Instruction Fuzzy Hash: 0081887A611700EBC714DF68FD96AAA77B8FB0A356B14412AEC06C6371EB748940CF35

Function 00D21CD0 Relevance: 10.7, APIs: 7, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D21D52
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00D21D86
CloseHandle.KERNEL32(00000000), ref: 00D21D97
GetTickCount.KERNEL32 ref: 00D21E02
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D21FDE
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00D22015
CloseHandle.KERNEL32(00000000), ref: 00D22026

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: a9f4dd845d2e7690f78c4b8dca037a2c5232d4507966bdf0e7c9bacba13e10c8
Instruction ID: 2f94484895786fa3b4d523c923ce64b95cc7dda7faa15ab93638e62c5b54b090
Opcode Fuzzy Hash: a9f4dd845d2e7690f78c4b8dca037a2c5232d4507966bdf0e7c9bacba13e10c8
Instruction Fuzzy Hash: 2D91CA7A510310ABD318DF68FD96B7A3BA4FB26716F04401AF805D63B1E7749A40CBB6

Function 00D3B460 Relevance: 9.1, APIs: 6, Instructions: 138filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00D3B4CB
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00D3B52B
CloseHandle.KERNEL32(00000000), ref: 00D3B561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3B5E0
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00D3B619
CloseHandle.KERNEL32(00000000), ref: 00D3B62D

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 925d0df7dabf351bde2e698e6ed754c6c6021760d8dcef26305f88d30472007d
Instruction ID: 3dc958b0d41dd7dbd332d5ac8de00908d0fb3ca2642d062c55a0ccd4a4768c34
Opcode Fuzzy Hash: 925d0df7dabf351bde2e698e6ed754c6c6021760d8dcef26305f88d30472007d
Instruction Fuzzy Hash: F551AE39550314EBC714DF68FC82AAA7BB4FB05322F10421BE915DA7B0EB749A40DBB5

Function 00D18C10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D18CCD
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00D18D4D
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00D18E97
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D18F2E

Strings

"ie, xrefs: 00D18C37

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: "ie
API String ID: 2564258376-2574374593
Opcode ID: ab3dabad8d00f117cc1ee7096701cdbaa7fd26999552d4279681da0c8a3e0c09
Instruction ID: 866ff3c72ae6fd77f00c3d1b315f97f8daacb2fe345e6db6d62c0431d4724cbe
Opcode Fuzzy Hash: ab3dabad8d00f117cc1ee7096701cdbaa7fd26999552d4279681da0c8a3e0c09
Instruction Fuzzy Hash: 9381DA39A10310ABDB14DF68FC92BAA37B5FB45712F00002AFD05C63A1EB748981DBB5

Function 00D1F9C0 Relevance: 7.6, APIs: 5, Instructions: 91synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00D30D42,00D23700,00000001,00000000), ref: 00D1FA3C
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00D1FA66
CloseHandle.KERNEL32(00000000,?,00D30D42,00D23700,00000001,00000000), ref: 00D1FA95
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00D30D42,00D23700,00000001,00000000), ref: 00D1FAD6
CloseHandle.KERNEL32(00000000,?,00D30D42,00D23700,00000001,00000000), ref: 00D1FB15

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 78c395e6b31c5c02fdc3c9b54bdeb7786810d718b4abd71ba4744506e05c1e49
Instruction ID: 3fe36c983554d2ba89c462755ec2726b7c2d8f9b9c94ce00d246da84da159202
Opcode Fuzzy Hash: 78c395e6b31c5c02fdc3c9b54bdeb7786810d718b4abd71ba4744506e05c1e49
Instruction Fuzzy Hash: 874149796443009FD354CFA8ED95B6A7BF4EB19312B04812AE84ACB7B0DB74A8408B74

Function 00D2A110 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,00000001,00000000,00000001,00000000,?,00D187C6,?,00000001), ref: 00D2A240
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00D187C6,?), ref: 00D2A2FA

Strings

`d), xrefs: 00D2A282, 00D2A288
Z_%., xrefs: 00D2A261

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: FileRead
String ID: Z_%.$`d)
API String ID: 2738559852-2439003523
Opcode ID: dad6727a6c159550ac43459baf8c94f297e7eb1be25f726e45f9253cc3442bf0
Instruction ID: b6a518b6f895153ba37fe51741e63a9127261fd7343f99bf6964b434299108dc
Opcode Fuzzy Hash: dad6727a6c159550ac43459baf8c94f297e7eb1be25f726e45f9253cc3442bf0
Instruction Fuzzy Hash: D351DD39600315DBC708CF68FD81A6A77F9F76A726B45002AE805DB360EB30D980CB72

Function 00D38A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00D61504), ref: 00D38ABA
SetEvent.KERNEL32 ref: 00D38AD9
SetServiceStatus.ADVAPI32(00D61504), ref: 00D38B95

Strings

^iJ, xrefs: 00D38B5D

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: ServiceStatus$Event
String ID: ^iJ
API String ID: 3225596143-2484620576
Opcode ID: 9d478ec968a829266530c1ca5b0de66581be2af8cfdf75eaf7990b96953d9dee
Instruction ID: da8bbbe0452ad88a94de366b9dcdb3fdd45a5e89ed5ee8efd5a73ba5c191a39e
Opcode Fuzzy Hash: 9d478ec968a829266530c1ca5b0de66581be2af8cfdf75eaf7990b96953d9dee
Instruction Fuzzy Hash: 893187B9504342CBC704DF64FDA2866B7B4F756342714941AE802CB3B0EB76C991EB36

Function 00D1F6A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00D3B3AD), ref: 00D1F6E2
GetStdHandle.KERNEL32(000000F5,?,00D3B3AD), ref: 00D1F726
GetStdHandle.KERNEL32(000000F4,?,00D3B3AD), ref: 00D1F793

Strings

)He, xrefs: 00D1F795

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Handle
String ID: )He
API String ID: 2519475695-3578743732
Opcode ID: bbaf9aa66acef4a63073c837797c706bf934f60a95a0246650c8dd05032cb02f
Instruction ID: 4abb36928fa05cea6cd49c68a46de5e60b9ec4954ac5a4a9d9933121bfa4d92d
Opcode Fuzzy Hash: bbaf9aa66acef4a63073c837797c706bf934f60a95a0246650c8dd05032cb02f
Instruction Fuzzy Hash: 9E217A798263618BC708DF69FD9166537B5FB0A31A704522BE812C63B0E7B48481CF79

Function 00D225A0 Relevance: 6.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00D2A040,00000000,?), ref: 00D225F8
RtlReAllocateHeap.NTDLL(00000000,?,00D2A040,00000000), ref: 00D225FF
GetProcessHeap.KERNEL32(00000000,?,?,00D2A040,00000000,?), ref: 00D2261B
HeapAlloc.KERNEL32(00000000,?,00D2A040,00000000,?), ref: 00D22622

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: bc9f544f3af384f68c54e003b41beade4e981e80417d92b1794e67eb85ef8e6d
Instruction ID: 31f24a736c9efb6ae2a1386933367892cd67c9deb5493086f476d0d4a403942e
Opcode Fuzzy Hash: bc9f544f3af384f68c54e003b41beade4e981e80417d92b1794e67eb85ef8e6d
Instruction Fuzzy Hash: F301697A550314EBD7049FB9FD49A3A77B8E749706B04800AF918CA760E734C9018B32

Function 00D2EB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00D2EB9A
GetLastError.KERNEL32 ref: 00D2EBC9

Strings

+{(, xrefs: 00D2EBF0

Memory Dump Source

Source File: 00000003.00000002.2137246627.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000003.00000002.2137064882.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137373117.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137589647.0000000000D5E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2137885877.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d10000_evwoxfz.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: +{(
API String ID: 1917127615-1986729412
Opcode ID: ae9a210d559a7974411df8294981ae4f43a8919441d3346132623c9e409bd758
Instruction ID: 6982c6306d70b2425df48434c58ede4454f86c40ebdbb483c9ba8c4c3b999675
Opcode Fuzzy Hash: ae9a210d559a7974411df8294981ae4f43a8919441d3346132623c9e409bd758
Instruction Fuzzy Hash: F92168396107108BD758EF68FDD65293BE6F7AA756314402AE80ACB370E7709981CB72

Analysis Process: pubealmiyel.exePID: 7856, Parent PID: 7800COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1863
Total number of Limit Nodes:	36

Executed Functions

Function 00C94E51 Relevance: 63.4, APIs: 29, Strings: 6, Instructions: 2114synchronizationsleepfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00C95988
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C959F5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C95A58
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00C95A92
GetTickCount.KERNEL32 ref: 00C95B31

Part of subcall function 00C86220: GetVersionExA.KERNEL32(00CC1250), ref: 00C862F0
Part of subcall function 00C86220: CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00C8640F

GetCommandLineA.KERNEL32 ref: 00C95C00
Sleep.KERNELBASE(000007D0), ref: 00C962F8
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00C963D0
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00C963E6
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00C96401
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 00C965FB
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00C96655
GetCommandLineA.KERNEL32 ref: 00C966EE
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00C96787
MessageBoxA.USER32(00000000,00000004,-00000005,00000000), ref: 00C969DB
WSAStartup.WS2_32(00000202,?), ref: 00C96BD6
CloseHandle.KERNEL32 ref: 00C96D98
SetFileAttributesA.KERNEL32(?,00000080), ref: 00C96DBC
CopyFileA.KERNEL32(?,?,00000000), ref: 00C96E23

Part of subcall function 00C81650: Sleep.KERNEL32(000003E8), ref: 00C81762
Part of subcall function 00C81650: FindFirstFileA.KERNEL32(?,?), ref: 00C81850

Part of subcall function 00C9F040: lstrlen.KERNEL32(?,?,00C74EA1,?), ref: 00C9F091

Sleep.KERNELBASE(000003E8), ref: 00C96270

Part of subcall function 00C974D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00C97585
Part of subcall function 00C974D0: Process32First.KERNEL32(00000000,00000128), ref: 00C975E1
Part of subcall function 00C974D0: OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00C9768A

Strings

-"[, xrefs: 00C954AF, 00C954C0
gcXO, xrefs: 00C96818
C:\Windows\system32\config\systemprofile, xrefs: 00C95982
e, xrefs: 00C957ED
7n2`, xrefs: 00C95C78
W^V, xrefs: 00C96CA6

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: File$Create$Attributes$MutexSleep$CommandCopyFirstLineModuleName$CloseCountDirectoryEnvironmentFindHandleMessageOpenProcessProcess32SnapshotStartupTickToolhelp32VariableVersionlstrlen
String ID: -"[$7n2`$C:\Windows\system32\config\systemprofile$W^V$gcXO$e
API String ID: 552692769-508476934
Opcode ID: d7243a7ff71e0b9c10ee4686a77dd750ec0d43776f18250b26069925a7e306bb
Instruction ID: dbf04b8122a2ef3678c08dfd6dc6367ea68c329e6d6afb771764f81a7efd4764
Opcode Fuzzy Hash: d7243a7ff71e0b9c10ee4686a77dd750ec0d43776f18250b26069925a7e306bb
Instruction Fuzzy Hash: FC130E75900200DBDB18EF65FC9AB7E37B4FB06709F14422AE906CB2B2EB749940DB55

Function 00C86220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00CC1250), ref: 00C862F0
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00C8640F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00C8659C
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00C865D4
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C866CB
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C867C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 00C86AC7
CreateDirectoryA.KERNEL32(?,00000000), ref: 00C86B2C

Part of subcall function 00C77080: wvsprintfA.USER32(?,?,?), ref: 00C770C7

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00C86C69
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C86E03
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00C86F38
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00C8709E

Strings

C:\iduicjypf\, xrefs: 00C86707, 00C86AEC, 00C86D7B, 00C86F4F
C:\Windows\system32\config\systemprofile, xrefs: 00C8694F, 00C869EC
\, xrefs: 00C86CEA

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionwvsprintf
String ID: C:\Windows\system32\config\systemprofile$C:\iduicjypf\$\
API String ID: 3229173561-1627785957
Opcode ID: b91ee12ecf1994396cd243ebb2acff1a970e08c55daf42e1a7dd036d8cda3162
Instruction ID: b2b8ab7421f62cdbb0e1bbeadebf0345bdb4e6f7186e536a87e8891fb17e6df8
Opcode Fuzzy Hash: b91ee12ecf1994396cd243ebb2acff1a970e08c55daf42e1a7dd036d8cda3162
Instruction Fuzzy Hash: DD7214759002049BD708EF74FC86BBE37B4FB05309F04822AE906D7672EB749A85DB59

Function 00C85E60 Relevance: 6.2, APIs: 4, Instructions: 167
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C85F1A
Process32First.KERNEL32(00000000,00000128), ref: 00C85F73
Process32Next.KERNEL32(00000000,00000128), ref: 00C86095
CloseHandle.KERNELBASE(00000000), ref: 00C86123

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 307cfd5f4c4b1fb339d7735c76872ac1ab4135e556d619a1e94739bb6594e8fb
Instruction ID: 25b7b1d0a719af8d190d1603e399d142c1f76a502ba975148702f3695c9b6ee1
Opcode Fuzzy Hash: 307cfd5f4c4b1fb339d7735c76872ac1ab4135e556d619a1e94739bb6594e8fb
Instruction Fuzzy Hash: 9371BE72901200CBC714DFA8FD86BBE37B8F719309F14422AD906C7262EB349985CF15

Function 00C974D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00C97585
Process32First.KERNEL32(00000000,00000128), ref: 00C975E1
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00C9768A
TerminateProcess.KERNELBASE(00000000,000000FF,?,?,?,?,00000000), ref: 00C976B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00C976E3
Process32Next.KERNEL32(00000000,00000128), ref: 00C97760
CloseHandle.KERNEL32(00000000), ref: 00C977AC

Strings

W, xrefs: 00C97794

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: W
API String ID: 2696918072-4153503623
Opcode ID: 11167719c79d0283792aa0f60ce4afa6023ece1044d4c1277f54216840e3eb3c
Instruction ID: a838f9bb479c951d09e9b1053c2b8cc863379132bb24261b9c9d85b5640128a2
Opcode Fuzzy Hash: 11167719c79d0283792aa0f60ce4afa6023ece1044d4c1277f54216840e3eb3c
Instruction Fuzzy Hash: C3817976611200DBC714DFA8FD8ABAE37F8FB09319F14421AE906C7271EB749940CB44

Function 00C9B460 Relevance: 9.1, APIs: 6, Instructions: 138
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C9B4CB
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C9B52B
CloseHandle.KERNEL32(00000000), ref: 00C9B561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C9B5E0
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00C9B619
CloseHandle.KERNEL32(00000000), ref: 00C9B62D

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 4bd2788d5df793e2d00b9f75aefcd0ec10de875d05655b769691fbcddd7355ec
Instruction ID: 68cec342d63b959cb7017dfc63379497fdf9c9e6b3b57a1d95e0c9795139d300
Opcode Fuzzy Hash: 4bd2788d5df793e2d00b9f75aefcd0ec10de875d05655b769691fbcddd7355ec
Instruction Fuzzy Hash: 54518935500214EBCB14CFA9FC85BAE77B4FB05725F10421BF915DA6B0EB389A80DB96

Function 00C9AEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 00C9B03C
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 00C9B1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 00C9B2C0

Strings

>fx, xrefs: 00C9B1DA

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: >fx
API String ID: 1065093856-1758723267
Opcode ID: 17adc59434e0848faa2d3d96963aaf7f4b47b123d2d2ced0bd4a10bfede9d2be
Instruction ID: 77852afa0cf43c3fa221dfe966bb319dde7733a35a7f62854d6b0bb6519d316b
Opcode Fuzzy Hash: 17adc59434e0848faa2d3d96963aaf7f4b47b123d2d2ced0bd4a10bfede9d2be
Instruction Fuzzy Hash: 5BB1B776510600DBDB04DF68FE9A76E37B4FB06709F44422AE816CB2B1EB389D41DB85

Function 00C98700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C987C2
CheckTokenMembership.KERNELBASE(00000000,?,00000000), ref: 00C98815
FreeSid.ADVAPI32(?), ref: 00C98874

Strings

V=, xrefs: 00C98854

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: V=
API String ID: 3429775523-117639121
Opcode ID: 08f8db15181ab45507bb1a4ecf08b74d6587116dacd3cb0e85195d76cba38ffc
Instruction ID: 0e77866b9454b877c9ec3739280b9b6bbc4ccf3dedf76c550e1b9e246b8f1df8
Opcode Fuzzy Hash: 08f8db15181ab45507bb1a4ecf08b74d6587116dacd3cb0e85195d76cba38ffc
Instruction Fuzzy Hash: 7341CEB5910200DFDB44CFA9ED89B7D37F4F70A30AF60521AE901D32A1EB309A84DB65

Function 00C89830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00C89906
CloseHandle.KERNEL32(?), ref: 00C89920
CloseHandle.KERNEL32(?), ref: 00C8994F

Strings

D, xrefs: 00C898AE

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 0bc70276b09c47c8af63978e6312a61ca454edfe1f46299ee5d6cb87cae7879f
Instruction ID: 1fd3c1d3cdc5487f0ae40e144ee6d8de78c07572099aea8bff7c91741048e473
Opcode Fuzzy Hash: 0bc70276b09c47c8af63978e6312a61ca454edfe1f46299ee5d6cb87cae7879f
Instruction Fuzzy Hash: 54418B74540204EBD714CFA8ED82BBD37B8F71A704F14461AE916DB2B2E779AA04CB45

Function 00C9B0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 00C9B1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 00C9B2C0

Strings

>fx, xrefs: 00C9B1DA

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: >fx
API String ID: 1769507746-1758723267
Opcode ID: 996b8cf469496fc58b1810b96ab14013eeb19377982efb815537733899114c80
Instruction ID: dd1375e4709ea4100a32a1e4020024b5a372ae98041e1a937caf8790bc4aa6ae
Opcode Fuzzy Hash: 996b8cf469496fc58b1810b96ab14013eeb19377982efb815537733899114c80
Instruction Fuzzy Hash: AE519A76900604EBCB14DFA8FE9576E73F8F715709F54022AE905D72A1EB349D41DB40

Function 00C872E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00C87323

Strings

wJ, xrefs: 00C872FD

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: ExitProcess
String ID: wJ
API String ID: 621844428-3037638297
Opcode ID: e318b1247b2dea4fa453b98513f1cc5332a6eee778901f1fe99a30db1abcfa92
Instruction ID: 601baac0b084d5619e8722f0eeeb15c0b2983118703a0115bfedb1a7c7e0a13e
Opcode Fuzzy Hash: e318b1247b2dea4fa453b98513f1cc5332a6eee778901f1fe99a30db1abcfa92
Instruction Fuzzy Hash: E0E0EC381282548FCB009F65ED86B6C7BB9F752345B809329EC06C7172F7719801EF96

Function 00C77300 Relevance: 3.1, APIs: 2, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00C77397
CharLowerBuffA.USER32(?,00000000), ref: 00C773BE

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: f205be4e6922646ef7397f3ceb937e6ff857854ff4d12acab6381279da9fa940
Instruction ID: d20d4b1d45e0b7a73db781c450dac4cbdd81a4d4266ff061243060069f0fe681
Opcode Fuzzy Hash: f205be4e6922646ef7397f3ceb937e6ff857854ff4d12acab6381279da9fa940
Instruction Fuzzy Hash: 6C218C7A214500CBDB05CFA5FC92B3C3BB5FB4A709704821AE80ACB671DB78A841DF91

Function 00C76C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00C89FF6,?,00C89FF6,00000000), ref: 00C76CA6
RtlFreeHeap.NTDLL(00000000,?,00C89FF6,00000000), ref: 00C76CAD

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a64e59b11cb79901abd4fa50ac2a61a303f695f7735803a1a6c8efbf4714a975
Instruction ID: 75f9d2ce48b119e1a0afdd4b427c64656d7b8273b3fc3845ed0688674eccd6e0
Opcode Fuzzy Hash: a64e59b11cb79901abd4fa50ac2a61a303f695f7735803a1a6c8efbf4714a975
Instruction Fuzzy Hash: 2BD09231454308EFE7809BA8FD4DB193B68BB46749F10800AF60987421DA6099609BA5

Function 00C7F320 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00C79A8B,?,00C9B3E9), ref: 00C7F341
RtlAllocateHeap.NTDLL(00000000,?,00C79A8B,?,00C9B3E9), ref: 00C7F348

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 588514d95fdb7c66877ff9023dcae90c92979754895af74f81ef0fa4fda410c1
Instruction ID: 8995acb4c1e9246c5df8776717fc0ca6eaf2b65068b32fc9a8e14d6b4ffce811
Opcode Fuzzy Hash: 588514d95fdb7c66877ff9023dcae90c92979754895af74f81ef0fa4fda410c1
Instruction Fuzzy Hash: E5D092B0406304ABCB409FA4FD0EB193FA8F706B98F001059E55987674CB7299008F94

Non-executed Functions

Function 00C782D0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 373pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C78407

Strings

D, xrefs: 00C7858F

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CreatePipe
String ID: D
API String ID: 2719314638-2746444292
Opcode ID: e97b13098b23210b00ea2807ab10b36724add61e4ddedfd38932c3b7624657a9
Instruction ID: 0783967ffcb87825211c5a2c17b3ec300b86c28e49721424527b3fddb04d41b1
Opcode Fuzzy Hash: e97b13098b23210b00ea2807ab10b36724add61e4ddedfd38932c3b7624657a9
Instruction Fuzzy Hash: 9DF1BD35550204DFCB08DFA8ED8ABAD7BB4FB05704F14461AE906D72B1EB749A40DF15

Function 00C9BB30 Relevance: 13.7, APIs: 9, Instructions: 158serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00C9BB7D
CreateServiceA.ADVAPI32(00000000,01121490,01121490,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00C9BBE8
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00C9BC31
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C9BC80
CloseServiceHandle.ADVAPI32(00000000), ref: 00C9BC91
OpenServiceA.ADVAPI32(00000000,00000010), ref: 00C9BCEF
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00C9BD32
CloseServiceHandle.ADVAPI32(00000000), ref: 00C9BD7B
CloseServiceHandle.ADVAPI32(00000000), ref: 00C9BDB8

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 31e405cf89aff9be99685b09bbc02431d44f879816ed84289d112c125a64c2f3
Instruction ID: 19d2a5f6d018d8798bdf4353f207c5d4cdd7350131b0ce146dbdfee650ed823b
Opcode Fuzzy Hash: 31e405cf89aff9be99685b09bbc02431d44f879816ed84289d112c125a64c2f3
Instruction Fuzzy Hash: A951F436511600EBC715CF64FD95B7E37B4FB05B19F04421AE902C76B1EB788842DB66

Function 00C84ED0 Relevance: 10.8, APIs: 7, Instructions: 345processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00C84FD1
Process32First.KERNEL32(00000000,00000128), ref: 00C850F8
CloseHandle.KERNEL32(00000000), ref: 00C8548A

Part of subcall function 00C9F040: lstrlen.KERNEL32(?,?,00C74EA1,?), ref: 00C9F091

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00C85267
Module32First.KERNEL32(00000000,00000224), ref: 00C852E7
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00C85406
Process32Next.KERNEL32(?,00000128), ref: 00C8545B

Part of subcall function 00C77080: wvsprintfA.USER32(?,?,?), ref: 00C770C7

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Nextlstrlenwvsprintf
String ID:
API String ID: 2324068143-0
Opcode ID: 5de687461b8a69661a4101201f3144c0f36a9774fb8a2d9648723dd8eafb139b
Instruction ID: a5fb2bb327b4d21365c7dde304b4a5539bb666f6afd0367de8b86dc3fa875fa1
Opcode Fuzzy Hash: 5de687461b8a69661a4101201f3144c0f36a9774fb8a2d9648723dd8eafb139b
Instruction Fuzzy Hash: AEE1BE35A10610CBD718DF68EC96B7E37F8FB55709F04422AE806CB2B1EBB49980CB55

Function 00C75ED0 Relevance: 7.8, APIs: 5, Instructions: 284serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00C75FA2
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00C75FEC
GetLastError.KERNEL32 ref: 00C7600B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00C760BF
CloseServiceHandle.ADVAPI32(00000000), ref: 00C762BA

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 499e33c2c62032e5ae298534537fcfa013f0adbd3c2482f045cc1cceafd852b4
Instruction ID: 6d405198d5847a4042828486c4187560f38da2079b00710a801f56e8332656bd
Opcode Fuzzy Hash: 499e33c2c62032e5ae298534537fcfa013f0adbd3c2482f045cc1cceafd852b4
Instruction Fuzzy Hash: E9C1E172910601DFC708DF68ED96B7E7BB8F744305F00822AE80ADB2B1E774AA41DB55

Function 00C81650 Relevance: 7.7, APIs: 5, Instructions: 180filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00C81762
FindFirstFileA.KERNEL32(?,?), ref: 00C81850
DeleteFileA.KERNEL32(?), ref: 00C81901
FindNextFileA.KERNEL32(00000000,?), ref: 00C81924
FindClose.KERNEL32(00000000), ref: 00C8193D

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 75904b3151df77643cbd8b0623ff24ead894e91c8bb7c3231f1f738cff2a903d
Instruction ID: 7e1ee8d9767478b2360f52701bcfa5a780748f6e07d265a0b6b92e34c4c8ecab
Opcode Fuzzy Hash: 75904b3151df77643cbd8b0623ff24ead894e91c8bb7c3231f1f738cff2a903d
Instruction Fuzzy Hash: F771E272900214DBC744DFA8FC8ABAE37F8F755709F08426AE905D72B1EB349A41DB84

Function 00C83CB0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 470fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000), ref: 00C843F4

Strings

, xrefs: 00C8436E
FH8, xrefs: 00C83D5B

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: DeleteFile
String ID: $FH8
API String ID: 4033686569-606782576
Opcode ID: c82b34e8465ab87f13fca2a8dde91c9b7dc8e143a63f574bffc3e90999d2e85f
Instruction ID: 071151ea0fda0e67de4d92a9f28e8804327d729944fd0c1218391f8308e02cc3
Opcode Fuzzy Hash: c82b34e8465ab87f13fca2a8dde91c9b7dc8e143a63f574bffc3e90999d2e85f
Instruction Fuzzy Hash: 36024532A00205CBDB18EF68FC86B6E37B4F745319F04421AE906DB2B1EB719941DF95

Function 00C87AC1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 162registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_00028A40), ref: 00C87BB6
SetServiceStatus.ADVAPI32(00CC1504), ref: 00C87C2D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C87C5F
SetServiceStatus.ADVAPI32(00CC1504), ref: 00C87CB4
WaitForSingleObject.KERNEL32(00001388), ref: 00C87CE8
SetServiceStatus.ADVAPI32(00CC1504), ref: 00C87D76
CloseHandle.KERNEL32 ref: 00C87D94
SetServiceStatus.ADVAPI32(00CC1504), ref: 00C87E26

Strings

W@_, xrefs: 00C87D37
R\, xrefs: 00C87E40

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: R\$W@_
API String ID: 3399922960-625819527
Opcode ID: ce0768e388589ca5493441213f576f8fbed4b76b0ffb483b14461f85d2f232e6
Instruction ID: 53129161b25feaa4c0e5d281fc3454745fe224bca6676dac82753bffdc51a41c
Opcode Fuzzy Hash: ce0768e388589ca5493441213f576f8fbed4b76b0ffb483b14461f85d2f232e6
Instruction Fuzzy Hash: 7C8131B9A10600CFD704DF66ED95B6D3BB0F35A30AF18462AE802CB6B2E7759941DF44

Function 00C81CD0 Relevance: 10.7, APIs: 7, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C81D52
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C81D86
CloseHandle.KERNEL32(00000000), ref: 00C81D97
GetTickCount.KERNEL32 ref: 00C81E02
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C81FDE
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00C82015
CloseHandle.KERNEL32(00000000), ref: 00C82026

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 936551d32210bfe01e4506f1e6a3e93a8833fb1f62ed94ad26374877296642f4
Instruction ID: c7e218b58690a63eb1e5d99d95c2bcdb2fe4af08c8196d8422db8040d39d7adb
Opcode Fuzzy Hash: 936551d32210bfe01e4506f1e6a3e93a8833fb1f62ed94ad26374877296642f4
Instruction Fuzzy Hash: F091EF72910200ABD318EF69FD86B7E37B8F706709F14421AF906D72B1E7749A01DB55

Function 00C78C10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C78CCD
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00C78D4D
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00C78E97
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00C78F2E

Strings

"ie, xrefs: 00C78C37

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: "ie
API String ID: 2564258376-2574374593
Opcode ID: 5186bae7a65b4e5b7a0a7026b39cf125d422b4c47e03843b4516006a959bc43b
Instruction ID: 2eb457481a347f97b773ef28824b1f45810563d112a56e1cf6f460c3ff41e831
Opcode Fuzzy Hash: 5186bae7a65b4e5b7a0a7026b39cf125d422b4c47e03843b4516006a959bc43b
Instruction Fuzzy Hash: 9D810035610200CBDB14DF68FC96B6E37B8F74570AF10422AFA0AC72B1EB389945DB59

Function 00C7F9C0 Relevance: 7.6, APIs: 5, Instructions: 91synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C7FA3C
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00C7FA66
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00C7FA95
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000), ref: 00C7FAD6
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00C7FB15

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 24331c0fb46127d9692da74f1e6b72d3fc89ca5cdb58364eb43d51fd1ee8524c
Instruction ID: 59ce20143adf88c10dd94c4ce4fc657863aee08c7155653bbb64cd9d2f8b9c31
Opcode Fuzzy Hash: 24331c0fb46127d9692da74f1e6b72d3fc89ca5cdb58364eb43d51fd1ee8524c
Instruction Fuzzy Hash: FB414871644240DFD354CFA8ED96B6E3BF8FB1A715F14822AE94ACB2B0D774A840DB04

Function 00C98A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00CC1504), ref: 00C98ABA
SetEvent.KERNEL32 ref: 00C98AD9
SetServiceStatus.ADVAPI32(00CC1504), ref: 00C98B95

Strings

^iJ, xrefs: 00C98B5D

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: ServiceStatus$Event
String ID: ^iJ
API String ID: 3225596143-2484620576
Opcode ID: 2779a9ead505780e7b64e7d5c10030fe830cd1851e9eff4669d42fd9df5448fe
Instruction ID: 3e571e67fed63c54e0af9c923f61205876cf10770324d2fd8c7f82c7a3f8d541
Opcode Fuzzy Hash: 2779a9ead505780e7b64e7d5c10030fe830cd1851e9eff4669d42fd9df5448fe
Instruction Fuzzy Hash: 0531BAB1104200DBCB44DF66FD96BAE37B8F316344B18961AE902CB270EB318995DF15

Function 00C7F6A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00C9B3AD), ref: 00C7F6E2
GetStdHandle.KERNEL32(000000F5,?,00C9B3AD), ref: 00C7F726
GetStdHandle.KERNEL32(000000F4,?,00C9B3AD), ref: 00C7F793

Strings

)He, xrefs: 00C7F795

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Handle
String ID: )He
API String ID: 2519475695-3578743732
Opcode ID: 9ecdcd696c03cc3966a1a2c1157a22946a33c2923f04ca1a558f5e4ad54eeaa3
Instruction ID: 95bb90b29b905c9356021a837dc3518d25f69253c506393e942498d36e0ba7c3
Opcode Fuzzy Hash: 9ecdcd696c03cc3966a1a2c1157a22946a33c2923f04ca1a558f5e4ad54eeaa3
Instruction Fuzzy Hash: 902169728152508FC708DF2AFD91B6D37B5F70A759B04431BE422C76B1E7B89480DB09

Function 00C825A0 Relevance: 6.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00C8A040,00000000,?), ref: 00C825F8
RtlReAllocateHeap.NTDLL(00000000,?,00C8A040,00000000), ref: 00C825FF
GetProcessHeap.KERNEL32(00000000,?,?,00C8A040,00000000,?), ref: 00C8261B
HeapAlloc.KERNEL32(00000000,?,00C8A040,00000000,?), ref: 00C82622

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: c8cdd0aefe00b553d4e4408763cf4568ed2beb992d63884709a7f144a32f0489
Instruction ID: 97b33b7a98aa46599ad14bf6094604c36103f5822b7098277d06befda8161427
Opcode Fuzzy Hash: c8cdd0aefe00b553d4e4408763cf4568ed2beb992d63884709a7f144a32f0489
Instruction Fuzzy Hash: F8014632540214DBDB549FA5ED88B6E37E8E74AB09B04811AF908C7531E735D9018B56

Function 00C8A110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,00000001,00000000,00000001,00000000,?,00C787C6,?,00000001), ref: 00C8A240
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00C787C6,?), ref: 00C8A2FA

Strings

Z_%., xrefs: 00C8A261

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: FileRead
String ID: Z_%.
API String ID: 2738559852-3593569407
Opcode ID: 1272ebf71c6479ae22921d14fc62b41fa64e0c0f8fe4c23b35cd428ea06d9b3d
Instruction ID: 50b547f1fa812f8a354679ee1338d7f80f23f6abcc16d5c2ce238c593eeb125d
Opcode Fuzzy Hash: 1272ebf71c6479ae22921d14fc62b41fa64e0c0f8fe4c23b35cd428ea06d9b3d
Instruction Fuzzy Hash: E751ED32600200DBDB14DF68ED84BAE37F9F34A719F54022AE805CB2A1EB34DD81CB85

Function 00C8EB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00C8EB9A
GetLastError.KERNEL32 ref: 00C8EBC9

Strings

+{(, xrefs: 00C8EBF0

Memory Dump Source

Source File: 00000004.00000002.2154181982.0000000000C71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C70000, based on PE: true

Associated: 00000004.00000002.2153958524.0000000000C70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154578232.0000000000CA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CA5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CBF000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2154759846.0000000000CC1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2155394101.0000000000CC2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c70000_pubealmiyel.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: +{(
API String ID: 1917127615-1986729412
Opcode ID: 52459dc70e2eeb44a5456745eb303736bd4518780ecce83e85ae6d1a25972384
Instruction ID: 48bc307e15f456bed9cc62ff9b35f4eb8ae98de2f66a5a75be23bd0a1e65a69b
Opcode Fuzzy Hash: 52459dc70e2eeb44a5456745eb303736bd4518780ecce83e85ae6d1a25972384
Instruction Fuzzy Hash: 3C219A316106008F8748EF68FDE6B6C37F6F359709B14421AE806C7671EB709D81CB95

Analysis Process: evwoxfz.exePID: 7884, Parent PID: 7784COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1860
Total number of Limit Nodes:	27

Executed Functions

Function 00D34E51 Relevance: 63.4, APIs: 29, Strings: 6, Instructions: 2114synchronizationsleepfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00D35988
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D359F5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D35A58
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00D35A92
GetTickCount.KERNEL32 ref: 00D35B31

Part of subcall function 00D26220: GetVersionExA.KERNEL32(00D61250), ref: 00D262F0
Part of subcall function 00D26220: CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00D2640F

GetCommandLineA.KERNEL32 ref: 00D35C00
Sleep.KERNEL32(000007D0), ref: 00D362F8
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00D363D0
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00D363E6
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00D36401
SetFileAttributesA.KERNEL32(00000000,00000002), ref: 00D365FB
SetFileAttributesA.KERNEL32(00000000,00000080), ref: 00D36655
GetCommandLineA.KERNEL32 ref: 00D366EE
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00D36787
MessageBoxA.USER32(00000000,00000004,-00000005,00000000), ref: 00D369DB
WSAStartup.WS2_32(00000202,?), ref: 00D36BD6
CloseHandle.KERNEL32 ref: 00D36D98
SetFileAttributesA.KERNEL32(?,00000080), ref: 00D36DBC
CopyFileA.KERNEL32(?,?,00000000), ref: 00D36E23

Part of subcall function 00D21650: Sleep.KERNEL32(000003E8), ref: 00D21762
Part of subcall function 00D21650: FindFirstFileA.KERNEL32(?,?), ref: 00D21850

Part of subcall function 00D3F040: lstrlen.KERNEL32(?,?,00D14EA1,?), ref: 00D3F091

Sleep.KERNEL32(000003E8), ref: 00D36270

Part of subcall function 00D374D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00D37585
Part of subcall function 00D374D0: Process32First.KERNEL32(00000000,00000128), ref: 00D375E1
Part of subcall function 00D374D0: OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00D3768A

Strings

W^V, xrefs: 00D36CA6
-"[, xrefs: 00D354AF, 00D354C0
7n2`, xrefs: 00D35C78
gcXO, xrefs: 00D36818
e, xrefs: 00D357ED
C:\Users\user, xrefs: 00D35982

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$Create$Attributes$MutexSleep$CommandCopyFirstLineModuleName$CloseCountDirectoryEnvironmentFindHandleMessageOpenProcessProcess32SnapshotStartupTickToolhelp32VariableVersionlstrlen
String ID: -"[$7n2`$C:\Users\user$W^V$gcXO$e
API String ID: 552692769-2751188716
Opcode ID: e4eb8a101fba6a1d70cb1c717dafc0bd029618010881abe27067b3f4e864564a
Instruction ID: fb0294ff64aebbc34782c68390bbecf726551d5e87d3ab606318c6deee92d76b
Opcode Fuzzy Hash: e4eb8a101fba6a1d70cb1c717dafc0bd029618010881abe27067b3f4e864564a
Instruction Fuzzy Hash: 7E13F1799003009BD718DF68FC96A7A37B4FB19746F04452AE906DA3B1EBB09980CF75

Function 00D26220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00D61250), ref: 00D262F0
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00D2640F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00D2659C
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00D265D4
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D266CB
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D267C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D26AC7
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D26B2C

Part of subcall function 00D17080: wvsprintfA.USER32(?,?,?), ref: 00D170C7

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00D26C69
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00D26E03
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00D26F38
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00D2709E

Strings

\, xrefs: 00D26CEA
C:\iduicjypf\, xrefs: 00D26707, 00D26AEC, 00D26D7B, 00D26F4F
C:\Users\user, xrefs: 00D2694F, 00D269EC

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionwvsprintf
String ID: C:\Users\user$C:\iduicjypf\$\
API String ID: 3229173561-3579721949
Opcode ID: 917bcd27849be1a9d815b999a5b000f5019ac1eba26219679019e49e4d20610a
Instruction ID: 3fbc8edef577977ca94a6a0fa82deaef407e76efdcbac5430e6a2ee5ae97f66b
Opcode Fuzzy Hash: 917bcd27849be1a9d815b999a5b000f5019ac1eba26219679019e49e4d20610a
Instruction Fuzzy Hash: 5B72EF799003149BD708DF68FC82ABA77B4FB25306F04402AE906D73A1EB749985CF75

Function 00D3AEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 00D3B03C
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 00D3B1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 00D3B2C0

Strings

>fx, xrefs: 00D3B1DA

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: >fx
API String ID: 1065093856-1758723267
Opcode ID: 86a5729990e8f00e7c0726b347c3d2aeac83ba19276acdaed71c78bad2fbb2fb
Instruction ID: cbf1d4dd93e26508da3ebc587c76e02e6d80c6ace52cc94ae2df18ab478c0f9e
Opcode Fuzzy Hash: 86a5729990e8f00e7c0726b347c3d2aeac83ba19276acdaed71c78bad2fbb2fb
Instruction Fuzzy Hash: 60B1A77A610710DBDB04CF68FD9262A77B4FB16722F54012AE91ACA3B1EB34D850CB75

Function 00D38700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D387C2
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 00D38815
FreeSid.ADVAPI32(?), ref: 00D38874

Strings

V=, xrefs: 00D38854

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: V=
API String ID: 3429775523-117639121
Opcode ID: 913d8c073e39f5ce627f817488cb90c4e8975fdb814605349b00851cd22d460b
Instruction ID: a731d38cdc6b941a60d850bbd5698dea2b28ab5ea13bb3033d46fa3e5f49b380
Opcode Fuzzy Hash: 913d8c073e39f5ce627f817488cb90c4e8975fdb814605349b00851cd22d460b
Instruction Fuzzy Hash: D941AB79911300EBDB44CFA8FD86A6977F4FB1A316F54111AE805D73A1EB30A980EB71

Function 00D3B0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 00D3B1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 00D3B2C0

Strings

>fx, xrefs: 00D3B1DA

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: >fx
API String ID: 1769507746-1758723267
Opcode ID: 0bd2405f266dd2baa360d83a9d2042faf5868743799d7376b4e0348195db9648
Instruction ID: ddc8d425265966cd497d059aaac9a7b7e9b1f7dcf762cf3b548ce59dbf376715
Opcode Fuzzy Hash: 0bd2405f266dd2baa360d83a9d2042faf5868743799d7376b4e0348195db9648
Instruction Fuzzy Hash: F351997A500714DBCB14DF68EE9266A73F4F726322B500127EA06CA3A1EB30C941CF75

Function 00D272E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00D27323

Strings

wJ, xrefs: 00D272FD

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: ExitProcess
String ID: wJ
API String ID: 621844428-3037638297
Opcode ID: 2b62fc44fe4f2e934fd656bc315f26c81a2fa78e2ab7bbf044100820141eace2
Instruction ID: e072eaef699b45ae736e80763599aa6a1bf65feb461fe7800a03eb7228a75251
Opcode Fuzzy Hash: 2b62fc44fe4f2e934fd656bc315f26c81a2fa78e2ab7bbf044100820141eace2
Instruction Fuzzy Hash: 3DE0EC381283548FCB009F64FC82568BB75F7213923909525EC16CA376F7B19811EF72

Function 00D17300 Relevance: 3.1, APIs: 2, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00D17397
CharLowerBuffA.USER32(?,00000000), ref: 00D173BE

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 87bb60abc6b1765fb33804def11cd8b918e08f86831312df411be466a489cba7
Instruction ID: cffb0ab370b140bde85b388b6f42bf01dc12324a49ee2e68164d5f5e72794bfe
Opcode Fuzzy Hash: 87bb60abc6b1765fb33804def11cd8b918e08f86831312df411be466a489cba7
Instruction Fuzzy Hash: 26219A7A2147109B9B05CF69FCA287937F5FB0A7023048016E80ACB335DB74A881DB72

Function 00D16C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00D29FF6,?,00D29FF6,00000000), ref: 00D16CA6
RtlFreeHeap.NTDLL(00000000,?,00D29FF6,00000000), ref: 00D16CAD

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4332047c14e0821bf1aade98629c0a7caaceb92cc03b72981e23f81afd2d6d11
Instruction ID: 59976d7f8a6bfacb574d495de2a82dd2de7b7050ca44a2d77a334cd9360391f1
Opcode Fuzzy Hash: 4332047c14e0821bf1aade98629c0a7caaceb92cc03b72981e23f81afd2d6d11
Instruction Fuzzy Hash: 12D0C939464308DFE7809FA8FC0DF193B68EB46745F10401AF719C6232DBB099609BB5

Function 00D1F320 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00D19A8B,?,00D3B3E9), ref: 00D1F341
RtlAllocateHeap.NTDLL(00000000,?,00D19A8B,?,00D3B3E9), ref: 00D1F348

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1a52a6b733ae8eaaa00937508b52932f32f2f643106e695961f0b3298892a864
Instruction ID: 0389c8fe1d4ccd6094693416f2d7e6439fcb5590c032970b4aecd763da50f0b9
Opcode Fuzzy Hash: 1a52a6b733ae8eaaa00937508b52932f32f2f643106e695961f0b3298892a864
Instruction Fuzzy Hash: D7D092B8405304ABCB409FA5FD4EA1A7FA8A706A90F001059E668C77B9CB7291009EB4

Function 00D2B470 Relevance: 1.6, APIs: 1, Instructions: 124
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00D2B57A

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 50138c634de1fa2812d1092cef4e49019c14bd503ed59fb24730871ada412e3b
Instruction ID: bd81f5fc9845a0633bd653515fce1854da5a5e8e01fef8f17f512632d8b98b1e
Opcode Fuzzy Hash: 50138c634de1fa2812d1092cef4e49019c14bd503ed59fb24730871ada412e3b
Instruction Fuzzy Hash: AA5188795013649BD728DF28FC82AB637B4F72572AF14511BE905CA3A1E7B4C940CBB1

Non-executed Functions

Function 00D182D0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 373
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D18407

Strings

D, xrefs: 00D1858F

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CreatePipe
String ID: D
API String ID: 2719314638-2746444292
Opcode ID: a98e5a6899d8e0876b62a7fa2da5075ecca784118729b141fb28f5cde5ec0ad9
Instruction ID: 704fa0935d9738e498402e34210a7db9b372912f0b886010fa9db7dd09bfb5f4
Opcode Fuzzy Hash: a98e5a6899d8e0876b62a7fa2da5075ecca784118729b141fb28f5cde5ec0ad9
Instruction Fuzzy Hash: F0F17B79910304EFDB08DFA8FD96AA97BB5FB05702B14051AE806D6370EB709A80DF75

Function 00D3BB30 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 158serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00D3BB7D
CreateServiceA.ADVAPI32(00000000,00EC47E0,00EC47E0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D3BBE8
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00D3BC31
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00D3BC80
CloseServiceHandle.ADVAPI32(00000000), ref: 00D3BC91
OpenServiceA.ADVAPI32(00000000,00000010), ref: 00D3BCEF
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00D3BD32
CloseServiceHandle.ADVAPI32(00000000), ref: 00D3BD7B
CloseServiceHandle.ADVAPI32(00000000), ref: 00D3BDB8

Strings

G, xrefs: 00D3BBDB

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID: G
API String ID: 3525021261-432008922
Opcode ID: 6b984109f9d1ce090ce9bd14b883a0ae6511ce24bb82e1cc5bf2ed09e7193c2c
Instruction ID: f54b37b73f97e4d164b4f9646ae115466014b33c4f060fee9d07c37d157f4e86
Opcode Fuzzy Hash: 6b984109f9d1ce090ce9bd14b883a0ae6511ce24bb82e1cc5bf2ed09e7193c2c
Instruction Fuzzy Hash: 98519979511700DBD7288F68FC9677A77B0FB0A716B04401AEE02CA7B0EB748442DB76

Function 00D24ED0 Relevance: 10.8, APIs: 7, Instructions: 345processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00D24FD1
Process32First.KERNEL32(00000000,00000128), ref: 00D250F8
CloseHandle.KERNEL32(00000000), ref: 00D2548A

Part of subcall function 00D3F040: lstrlen.KERNEL32(?,?,00D14EA1,?), ref: 00D3F091

CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00D25267
Module32First.KERNEL32(00000000,00000224), ref: 00D252E7
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00D25406
Process32Next.KERNEL32(?,00000128), ref: 00D2545B

Part of subcall function 00D17080: wvsprintfA.USER32(?,?,?), ref: 00D170C7

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Nextlstrlenwvsprintf
String ID:
API String ID: 2324068143-0
Opcode ID: 3752d28901e37281b6229bed91e15c8715882780de02cfa2b4ad6c7f1d072377
Instruction ID: 87a2e6a963343fb293f6b3d4dc53e4937a23fd055c2f7fae033115b44922c4a2
Opcode Fuzzy Hash: 3752d28901e37281b6229bed91e15c8715882780de02cfa2b4ad6c7f1d072377
Instruction Fuzzy Hash: D4E1CE396107108BD748DF28FC96A7A77F4FB65356B04112AEC06CA3B1EBB49980CB75

Function 00D15ED0 Relevance: 7.8, APIs: 5, Instructions: 284serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00D15FA2
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00D15FEC
GetLastError.KERNEL32 ref: 00D1600B
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00D160BF
CloseServiceHandle.ADVAPI32(00000000), ref: 00D162BA

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: cc54a273c8c9ce135385540ffff85555b7092e5921716d02333d7f3d6d0a4cd5
Instruction ID: 493356a722b52020ebaef095286d35ceae81a362f1a2523ac9bcc9c731474f68
Opcode Fuzzy Hash: cc54a273c8c9ce135385540ffff85555b7092e5921716d02333d7f3d6d0a4cd5
Instruction Fuzzy Hash: F7C1D07A9103109BC708DF68FD96AB97BB4FB05302B04412AED06DB365EB74A981CF75

Function 00D21650 Relevance: 7.7, APIs: 5, Instructions: 180filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 00D21762
FindFirstFileA.KERNEL32(?,?), ref: 00D21850
DeleteFileA.KERNEL32(?), ref: 00D21901
FindNextFileA.KERNEL32(00000000,?), ref: 00D21924
FindClose.KERNEL32(00000000), ref: 00D2193D

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 9c9e23fb9f5e25e0ea35fd0be0887fb72e2f58db851f02a0382995e2bc17b47a
Instruction ID: 0d00f8782624f169ff65f1158a9c18e4c28ce90c22feb714c05807ea3e03397a
Opcode Fuzzy Hash: 9c9e23fb9f5e25e0ea35fd0be0887fb72e2f58db851f02a0382995e2bc17b47a
Instruction Fuzzy Hash: 1971FD7A9003649BC744DF68FC86AAA37B8FB22316F044166E805C7371EB749980CFB4

Function 00D25E60 Relevance: 6.2, APIs: 4, Instructions: 167processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D25F1A
Process32First.KERNEL32(00000000,00000128), ref: 00D25F73
Process32Next.KERNEL32(00000000,00000128), ref: 00D26095
CloseHandle.KERNEL32(00000000), ref: 00D26123

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: afa4e71aceb66ef631ca294cddc73f06d4ffc13c7f85e89f3b8842e6b81ff806
Instruction ID: d8368d8b81b9bbd30f38cf29911da4b9950925b0b131517a4187dc0d8bcdff2b
Opcode Fuzzy Hash: afa4e71aceb66ef631ca294cddc73f06d4ffc13c7f85e89f3b8842e6b81ff806
Instruction Fuzzy Hash: C571CFBA911310CBC714DF68FD86AAA77B8FB1931AB14442AEC05C6365EB34D985CF31

Function 00D23CB0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 470fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000), ref: 00D243F4

Strings

FH8, xrefs: 00D23D5B
, xrefs: 00D2436E

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: DeleteFile
String ID: $FH8
API String ID: 4033686569-606782576
Opcode ID: 0b410a129eba40e9ff00701ae8d9d2cf75ebf9afde5ffb6dc9eb1e056973892e
Instruction ID: 3db538f261064179c8405d71262295c11e37edf6c8e5c5de58e18744c1f30f82
Opcode Fuzzy Hash: 0b410a129eba40e9ff00701ae8d9d2cf75ebf9afde5ffb6dc9eb1e056973892e
Instruction Fuzzy Hash: 2F021339A103109BD714DF68FC92AAA37B4FB55316F54002AED06DB3A1EB759940CFB1

Function 00D27AC1 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 162
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Function_00028A40), ref: 00D27BB6
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27C2D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D27C5F
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27CB4
WaitForSingleObject.KERNEL32(00001388), ref: 00D27CE8
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27D76
CloseHandle.KERNEL32 ref: 00D27D94
SetServiceStatus.ADVAPI32(00D61504), ref: 00D27E26

Strings

W@_, xrefs: 00D27D37
R\, xrefs: 00D27E40

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: R\$W@_
API String ID: 3399922960-625819527
Opcode ID: 6ce02ec3c866c3a013122eafb883bcc09c09c612796e96c0b30cd80a4e715088
Instruction ID: ee60cdd5e5f3472d01561295547237874845b5d89c87399a1d30ea6fb12cc8c7
Opcode Fuzzy Hash: 6ce02ec3c866c3a013122eafb883bcc09c09c612796e96c0b30cd80a4e715088
Instruction Fuzzy Hash: 5A8131BD510301CBD704DF68FD96A217BB0F769306B08452AE802CA7B5E7B59941DF71

Function 00D374D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00D37585
Process32First.KERNEL32(00000000,00000128), ref: 00D375E1
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00D3768A
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00D376B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00D376E3
Process32Next.KERNEL32(00000000,00000128), ref: 00D37760
CloseHandle.KERNEL32(00000000), ref: 00D377AC

Strings

W, xrefs: 00D37794

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: W
API String ID: 2696918072-4153503623
Opcode ID: 18ead476e374cf7ec81451b354325937f9ac5be6d429973306f783b9c2e8eea2
Instruction ID: a9806563387062c69141c2438b794a5463ba15c7cd7964268fb8beb1534bfe84
Opcode Fuzzy Hash: 18ead476e374cf7ec81451b354325937f9ac5be6d429973306f783b9c2e8eea2
Instruction Fuzzy Hash: 0081887A611700EBC714DF68FD96AAA77B8FB0A356B14412AEC06C6371EB748940CF35

Function 00D21CD0 Relevance: 10.7, APIs: 7, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D21D52
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00D21D86
CloseHandle.KERNEL32(00000000), ref: 00D21D97
GetTickCount.KERNEL32 ref: 00D21E02
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D21FDE
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00D22015
CloseHandle.KERNEL32(00000000), ref: 00D22026

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 86c7e109476e67aef8a00a10448ad2fe15bb22ca4e2f66e1af66aa1e7d6bbfc7
Instruction ID: 2f94484895786fa3b4d523c923ce64b95cc7dda7faa15ab93638e62c5b54b090
Opcode Fuzzy Hash: 86c7e109476e67aef8a00a10448ad2fe15bb22ca4e2f66e1af66aa1e7d6bbfc7
Instruction Fuzzy Hash: 2D91CA7A510310ABD318DF68FD96B7A3BA4FB26716F04401AF805D63B1E7749A40CBB6

Function 00D3B460 Relevance: 9.1, APIs: 6, Instructions: 138filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00D3B4CB
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00D3B52B
CloseHandle.KERNEL32(00000000), ref: 00D3B561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3B5E0
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00D3B619
CloseHandle.KERNEL32(00000000), ref: 00D3B62D

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 925d0df7dabf351bde2e698e6ed754c6c6021760d8dcef26305f88d30472007d
Instruction ID: 3dc958b0d41dd7dbd332d5ac8de00908d0fb3ca2642d062c55a0ccd4a4768c34
Opcode Fuzzy Hash: 925d0df7dabf351bde2e698e6ed754c6c6021760d8dcef26305f88d30472007d
Instruction Fuzzy Hash: F551AE39550314EBC714DF68FC82AAA7BB4FB05322F10421BE915DA7B0EB749A40DBB5

Function 00D18C10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D18CCD
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00D18D4D
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00D18E97
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D18F2E

Strings

"ie, xrefs: 00D18C37

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseFileHandle$CreateRead
String ID: "ie
API String ID: 2564258376-2574374593
Opcode ID: cc1d08f152ffa45117d9d89559ea8be62bc12f7a418ba3e0daaf212de65af01d
Instruction ID: 866ff3c72ae6fd77f00c3d1b315f97f8daacb2fe345e6db6d62c0431d4724cbe
Opcode Fuzzy Hash: cc1d08f152ffa45117d9d89559ea8be62bc12f7a418ba3e0daaf212de65af01d
Instruction Fuzzy Hash: 9381DA39A10310ABDB14DF68FC92BAA37B5FB45712F00002AFD05C63A1EB748981DBB5

Function 00D1F9C0 Relevance: 7.6, APIs: 5, Instructions: 91synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00D1FA3C
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00D1FA66
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00D1FA95
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000), ref: 00D1FAD6
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00D1FB15

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 78c395e6b31c5c02fdc3c9b54bdeb7786810d718b4abd71ba4744506e05c1e49
Instruction ID: 3fe36c983554d2ba89c462755ec2726b7c2d8f9b9c94ce00d246da84da159202
Opcode Fuzzy Hash: 78c395e6b31c5c02fdc3c9b54bdeb7786810d718b4abd71ba4744506e05c1e49
Instruction Fuzzy Hash: 874149796443009FD354CFA8ED95B6A7BF4EB19312B04812AE84ACB7B0DB74A8408B74

Function 00D29830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 00D29906
CloseHandle.KERNEL32(?), ref: 00D29920
CloseHandle.KERNEL32(?), ref: 00D2994F

Strings

D, xrefs: 00D298AE

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: e92bdb3d8b463649605ca1606b725cdbce8b757ae7f76eae8e2288be295222d7
Instruction ID: 282c673e804b1124fe072dba7e06f8cc79dac0734d01e9de9a04510963f82a72
Opcode Fuzzy Hash: e92bdb3d8b463649605ca1606b725cdbce8b757ae7f76eae8e2288be295222d7
Instruction Fuzzy Hash: 9341BE78540314DBD714CFA4ED92BAA7BB8F719712F00140AE912DA3B0E7B5A940CB74

Function 00D38A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00D61504), ref: 00D38ABA
SetEvent.KERNEL32 ref: 00D38AD9
SetServiceStatus.ADVAPI32(00D61504), ref: 00D38B95

Strings

^iJ, xrefs: 00D38B5D

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: ServiceStatus$Event
String ID: ^iJ
API String ID: 3225596143-2484620576
Opcode ID: 9d478ec968a829266530c1ca5b0de66581be2af8cfdf75eaf7990b96953d9dee
Instruction ID: da8bbbe0452ad88a94de366b9dcdb3fdd45a5e89ed5ee8efd5a73ba5c191a39e
Opcode Fuzzy Hash: 9d478ec968a829266530c1ca5b0de66581be2af8cfdf75eaf7990b96953d9dee
Instruction Fuzzy Hash: 893187B9504342CBC704DF64FDA2866B7B4F756342714941AE802CB3B0EB76C991EB36

Function 00D1F6A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00D3B3AD), ref: 00D1F6E2
GetStdHandle.KERNEL32(000000F5,?,00D3B3AD), ref: 00D1F726
GetStdHandle.KERNEL32(000000F4,?,00D3B3AD), ref: 00D1F793

Strings

)He, xrefs: 00D1F795

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Handle
String ID: )He
API String ID: 2519475695-3578743732
Opcode ID: bbaf9aa66acef4a63073c837797c706bf934f60a95a0246650c8dd05032cb02f
Instruction ID: 4abb36928fa05cea6cd49c68a46de5e60b9ec4954ac5a4a9d9933121bfa4d92d
Opcode Fuzzy Hash: bbaf9aa66acef4a63073c837797c706bf934f60a95a0246650c8dd05032cb02f
Instruction Fuzzy Hash: 9E217A798263618BC708DF69FD9166537B5FB0A31A704522BE812C63B0E7B48481CF79

Function 00D225A0 Relevance: 6.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00D2A040,00000000,?), ref: 00D225F8
RtlReAllocateHeap.NTDLL(00000000,?,00D2A040,00000000), ref: 00D225FF
GetProcessHeap.KERNEL32(00000000,?,?,00D2A040,00000000,?), ref: 00D2261B
HeapAlloc.KERNEL32(00000000,?,00D2A040,00000000,?), ref: 00D22622

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: bc9f544f3af384f68c54e003b41beade4e981e80417d92b1794e67eb85ef8e6d
Instruction ID: 31f24a736c9efb6ae2a1386933367892cd67c9deb5493086f476d0d4a403942e
Opcode Fuzzy Hash: bc9f544f3af384f68c54e003b41beade4e981e80417d92b1794e67eb85ef8e6d
Instruction Fuzzy Hash: F301697A550314EBD7049FB9FD49A3A77B8E749706B04800AF918CA760E734C9018B32

Function 00D2A110 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00005000,00000001,00000000,00000001,00000000,?,00D187C6,?,00000001), ref: 00D2A240
ReadFile.KERNEL32(?,?,00005000,00000000,00000000,?,00000000,?,00D187C6,?), ref: 00D2A2FA

Strings

Z_%., xrefs: 00D2A261

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: FileRead
String ID: Z_%.
API String ID: 2738559852-3593569407
Opcode ID: 7209d0c0ba50d08a4cfcb59410cd151148d97a5c1f8ffed08fefbbfab06c48fc
Instruction ID: b6a518b6f895153ba37fe51741e63a9127261fd7343f99bf6964b434299108dc
Opcode Fuzzy Hash: 7209d0c0ba50d08a4cfcb59410cd151148d97a5c1f8ffed08fefbbfab06c48fc
Instruction Fuzzy Hash: D351DD39600315DBC708CF68FD81A6A77F9F76A726B45002AE805DB360EB30D980CB72

Function 00D2EB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00D2EB9A
GetLastError.KERNEL32 ref: 00D2EBC9

Strings

+{(, xrefs: 00D2EBF0

Memory Dump Source

Source File: 00000005.00000002.1384171376.0000000000D11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000005.00000002.1384134714.0000000000D10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384231058.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D45000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384256565.0000000000D61000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1384326267.0000000000D62000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d10000_evwoxfz.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: +{(
API String ID: 1917127615-1986729412
Opcode ID: ae9a210d559a7974411df8294981ae4f43a8919441d3346132623c9e409bd758
Instruction ID: 6982c6306d70b2425df48434c58ede4454f86c40ebdbb483c9ba8c4c3b999675
Opcode Fuzzy Hash: ae9a210d559a7974411df8294981ae4f43a8919441d3346132623c9e409bd758
Instruction Fuzzy Hash: F92168396107108BD758EF68FDD65293BE6F7AA756314402AE80ACB370E7709981CB72

Analysis Process: pubealmiyel.exePID: 6940, Parent PID: 6516COMMON

Executed Functions

Function 009E4E51 Relevance: 63.4, APIs: 29, Strings: 6, Instructions: 2115synchronizationsleepfileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 009E5988
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 009E59F5
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 009E5A58
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 009E5A92
GetTickCount.KERNEL32 ref: 009E5B31

Part of subcall function 009D6220: GetVersionExA.KERNEL32(00A11250), ref: 009D62F0
Part of subcall function 009D6220: CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 009D640F

GetCommandLineA.KERNEL32 ref: 009E5C00
Sleep.KERNELBASE(000007D0), ref: 009E62F8
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 009E63D0
SetFileAttributesA.KERNEL32(00000001,00000080), ref: 009E63E6
CopyFileA.KERNEL32(?,00000001,00000000), ref: 009E6401
SetFileAttributesA.KERNEL32(00000001,00000002), ref: 009E65FB
SetFileAttributesA.KERNEL32(00000001,00000080), ref: 009E6655
GetCommandLineA.KERNEL32 ref: 009E66EE
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 009E6787
MessageBoxA.USER32(00000000,00000004,-00000005,00000000), ref: 009E69DB
WSAStartup.WS2_32(00000202,?), ref: 009E6BD6
CloseHandle.KERNEL32 ref: 009E6D98
SetFileAttributesA.KERNEL32(?,00000080), ref: 009E6DBC
CopyFileA.KERNEL32(?,?,00000000), ref: 009E6E23

Part of subcall function 009D1650: Sleep.KERNEL32(000003E8), ref: 009D1762
Part of subcall function 009D1650: FindFirstFileA.KERNEL32(?,?), ref: 009D1850

Part of subcall function 009EF040: lstrlen.KERNEL32(?,?,009C4EA1,?), ref: 009EF091

Sleep.KERNELBASE(000003E8), ref: 009E6270

Part of subcall function 009E74D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 009E7585
Part of subcall function 009E74D0: Process32First.KERNEL32(00000000,00000128), ref: 009E75E1
Part of subcall function 009E74D0: OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 009E768A

Strings

W^V, xrefs: 009E6CA6
7n2`, xrefs: 009E5C78
C:\Windows\system32\config\systemprofile, xrefs: 009E5982
-"[, xrefs: 009E54AF, 009E54C0
e, xrefs: 009E57ED
gcXO, xrefs: 009E6818

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: File$Create$Attributes$MutexSleep$CommandCopyFirstLineModuleName$CloseCountDirectoryEnvironmentFindHandleMessageOpenProcessProcess32SnapshotStartupTickToolhelp32VariableVersionlstrlen
String ID: -"[$7n2`$C:\Windows\system32\config\systemprofile$W^V$gcXO$e
API String ID: 552692769-508476934
Opcode ID: 33b7e5a4f5d8587a881d0e5b6f34a35825dbb0acf42b23dc45b2d84cf2fa3121
Instruction ID: fa6a12caf132072097eaf285960da0eb47437d7e66129b889ff55a4fb0817a4e
Opcode Fuzzy Hash: 33b7e5a4f5d8587a881d0e5b6f34a35825dbb0acf42b23dc45b2d84cf2fa3121
Instruction Fuzzy Hash: C0133471928248DFD708EFA5FC96BBA37B4FB54345F00442AE506CA2B1EB749843EB45

Function 009D6220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00A11250), ref: 009D62F0
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 009D640F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 009D659C
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 009D65D4
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 009D66CB
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009D67C6
CreateDirectoryA.KERNEL32(?,00000000), ref: 009D6AC7
CreateDirectoryA.KERNEL32(?,00000000), ref: 009D6B2C

Part of subcall function 009C7080: wvsprintfA.USER32(?,?,?), ref: 009C70C7

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 009D6C69
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 009D6E03
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 009D6F38
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 009D709E

Strings

C:\Windows\system32\config\systemprofile, xrefs: 009D694F, 009D69EC
C:\iduicjypf\, xrefs: 009D6707, 009D6AEC, 009D6D7B, 009D6F4F
\, xrefs: 009D6CEA

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionwvsprintf
String ID: C:\Windows\system32\config\systemprofile$C:\iduicjypf\$\
API String ID: 3229173561-1627785957
Opcode ID: 9fbedfa215fb415f55ebc23e62dd3fd1ab4b2371ccc8561aee8090356804646e
Instruction ID: babfee88b59deb4404c99d0fedfdf8835d827f2005b5122fe37a75a5eba97a5b
Opcode Fuzzy Hash: 9fbedfa215fb415f55ebc23e62dd3fd1ab4b2371ccc8561aee8090356804646e
Instruction Fuzzy Hash: 917216B19642089FD704DFA4FD86ABA37B4FB54301F00802AE506DB2B1EB749987DF56

Function 009D5E60 Relevance: 6.2, APIs: 4, Instructions: 167
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009D5F1A
Process32First.KERNEL32(00000000,00000128), ref: 009D5F73
Process32Next.KERNEL32(00000000,00000128), ref: 009D6095
CloseHandle.KERNELBASE(00000000), ref: 009D6123

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 508ba269a7c5e8e4d7d06f9491e366fed5b904b1ef82c235175d0a686f4b2b54
Instruction ID: 4765ceb50c8f55fec760274e2c5c454d7f30b688fca0cbb09b8b4ca061d61f32
Opcode Fuzzy Hash: 508ba269a7c5e8e4d7d06f9491e366fed5b904b1ef82c235175d0a686f4b2b54
Instruction Fuzzy Hash: 5771CEB2929218CBC714DFA8FD86BBA37B8F758305F10842BD905C6260EB349987DF11

Function 009E74D0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 009E7585
Process32First.KERNEL32(00000000,00000128), ref: 009E75E1
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 009E768A
TerminateProcess.KERNELBASE(00000000,000000FF,?,?,?,?,00000000), ref: 009E76B8
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 009E76E3
Process32Next.KERNEL32(00000000,00000128), ref: 009E7760
CloseHandle.KERNEL32(00000000), ref: 009E77AC

Strings

W, xrefs: 009E7794

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: W
API String ID: 2696918072-4153503623
Opcode ID: 9d845cb75d2a14e27c002361370ca26a57b8c765c2b9b3d0b448e83b2ce6b88f
Instruction ID: e9f636eaa1faaff1cb5c9272b66d14ed231ebc5c9abe9413094361924492d97f
Opcode Fuzzy Hash: 9d845cb75d2a14e27c002361370ca26a57b8c765c2b9b3d0b448e83b2ce6b88f
Instruction Fuzzy Hash: A181AA72A28208DFC714CFA8FD85ABA73B8FB08305B00411AE946C6271EB309953DF05

Function 009EB460 Relevance: 9.1, APIs: 6, Instructions: 138
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 009EB4CB
GetFileTime.KERNEL32(00000000,?,?,?), ref: 009EB52B
CloseHandle.KERNEL32(00000000), ref: 009EB561
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009EB5E0
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 009EB619
CloseHandle.KERNEL32(00000000), ref: 009EB62D

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: c291d28ef0c6481b3a12674f31e2ada136b44ce1a12091d71b8105cbe243def7
Instruction ID: 1930c88f0a3331acad8c3b7013aa3785dfe8ca91045365e7408a7697800405a6
Opcode Fuzzy Hash: c291d28ef0c6481b3a12674f31e2ada136b44ce1a12091d71b8105cbe243def7
Instruction Fuzzy Hash: 9E51D131514208DBC710CFA9FC81BBA77B4FB04321F10821BF915DA6B0EB349992EB95

Function 009EAEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?), ref: 009EB03C
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 009EB1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 009EB2C0

Strings

>fx, xrefs: 009EB1DA

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: >fx
API String ID: 1065093856-1758723267
Opcode ID: 09497f724d69405190fa08014804408b86fa2d2ccbfa9dd405ee81bacce51ca7
Instruction ID: 6cad79a7b1e2942fbebcd6f625671a3a3b55bd2cf51836447b0892fad7528e07
Opcode Fuzzy Hash: 09497f724d69405190fa08014804408b86fa2d2ccbfa9dd405ee81bacce51ca7
Instruction Fuzzy Hash: 8FB10F76628208CFDB05CFA9ED9267A77F4FB18301B00412AE916CA2B0E7349C53EF45

Function 009D9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 009D9906
CloseHandle.KERNEL32(?), ref: 009D9920
CloseHandle.KERNEL32(?), ref: 009D994F

Strings

D, xrefs: 009D98AE

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 1e86336f5d4a63b193553a6f4cf686deecc6684fe8a712287295136aad94d1d9
Instruction ID: 90cb6285e78d3886bcc209f53ebd975184ad9de16cc938a5dbc9f3207cfb1b08
Opcode Fuzzy Hash: 1e86336f5d4a63b193553a6f4cf686deecc6684fe8a712287295136aad94d1d9
Instruction Fuzzy Hash: 52419B74954208DBCB14DFE4ED92BB937F8F718700F00851AE612DA2B0E779A946EB45

Function 009EB0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,00000001), ref: 009EB1B3
CloseHandle.KERNELBASE(00000000,?,?,?,00000001), ref: 009EB2C0

Strings

>fx, xrefs: 009EB1DA

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: CloseFileHandleWrite
String ID: >fx
API String ID: 1769507746-1758723267
Opcode ID: 32b8bde70d91b1c1fe44145a0d76a645a7b95715bed694292182231b94e64156
Instruction ID: 209e53760181002f06b14037ae2ce62d541e6f486e2c41dd9daedaf2273eb7f4
Opcode Fuzzy Hash: 32b8bde70d91b1c1fe44145a0d76a645a7b95715bed694292182231b94e64156
Instruction Fuzzy Hash: 6751E076924248DBCB15CFA5EE9167A73F8FB14301B50042AEA11CB2B1D7349D53EF44

Function 009D72E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 009D7323

Strings

wJ, xrefs: 009D72FD

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: ExitProcess
String ID: wJ
API String ID: 621844428-3037638297
Opcode ID: 4468486b8fca52bddd60be8857a93edc1c835428f868ddaaea8f174ac7b97b16
Instruction ID: 028537974403a5b95c1086183cd3c325fa0c0340b641e2b13d7ac1c1630978a2
Opcode Fuzzy Hash: 4468486b8fca52bddd60be8857a93edc1c835428f868ddaaea8f174ac7b97b16
Instruction Fuzzy Hash: 78E0B6341282498FD701DFE5EC82669BBA5F750341380A026EC06CA272F771A806EB56

Function 009C6C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,009D9FF6,?,009D9FF6,00000000), ref: 009C6CA6
RtlFreeHeap.NTDLL(00000000,?,009D9FF6,00000000), ref: 009C6CAD

Memory Dump Source

Source File: 0000000A.00000002.3133415747.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 0000000A.00000002.3133391608.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133453366.00000000009F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.00000000009F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A0F000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133477969.0000000000A11000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3133555267.0000000000A12000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9c0000_pubealmiyel.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9805b7c0edb9a4d817ccf30d02eb1a48bd74104163bf53be4d7f8b6c23b1fe35
Instruction ID: aff2e46767f0c5428034a7effaa1a6df596ee8469aaac6c9dad68612f6e5af80
Opcode Fuzzy Hash: 9805b7c0edb9a4d817ccf30d02eb1a48bd74104163bf53be4d7f8b6c23b1fe35
Instruction Fuzzy Hash: E5D0C931079708EFE7809BA8FC0DA263BACEB44705F51400AF709C6071DB709961EBA5

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PORgjGswYg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\iduicjypf\mp4dlnai

C:\iduicjypf\d939bcdhmynt2wokv.exe

C:\iduicjypf\evwoxfz.exe

C:\iduicjypf\mp4dlnai

C:\iduicjypf\pubealmiyel.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
PORgjGswYg.exe

Function 00FF6220 Relevance: 27.1, APIs: 12, Strings: 3, Instructions: 818
fileCOMMON

Function 00FF1650 Relevance: 7.7, APIs: 5, Instructions: 180
filesleepCOMMON

Function 01008700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
memoryCOMMON

Function 00FE6C90 Relevance: 3.0, APIs: 2, Instructions: 13
memoryCOMMON

Function 00FEC09C Relevance: 2.8, Strings: 2, Instructions: 303
COMMON

Function 00FEC0C0 Relevance: 2.8, Strings: 2, Instructions: 255
COMMON

Function 00FF1CD0 Relevance: 10.7, APIs: 7, Instructions: 230
fileCOMMON

Function 0100AEE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Function 00FF9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98
processCOMMON

Function 0100B0A7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
fileCOMMON

Function 00FF72E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Function 00FE7300 Relevance: 3.1, APIs: 2, Instructions: 68
stringCOMMON

Function 00FEF320 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre