Edit tour

Windows Analysis Report
66HKNPT1fl.exe

Overview

General Information

Sample name:	66HKNPT1fl.exe renamed because original name is a hash value
Original sample name:	93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3.exe
Analysis ID:	1551208
MD5:	f0d9a1e7385ed0ea2ece3d30915163d5
SHA1:	fa25bb798e084ddfa0ad97b659b49a405fa19b22
SHA256:	93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

Connects to many different domains

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

66HKNPT1fl.exe (PID: 7840 cmdline: "C:\Users\user\Desktop\66HKNPT1fl.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

ew3dvaplid9hjn8.exe (PID: 7892 cmdline: "C:\daxjjwrfm\ew3dvaplid9hjn8.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

qbpabupgx.exe (PID: 7992 cmdline: "C:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

qbpabupgx.exe (PID: 7908 cmdline: C:\daxjjwrfm\qbpabupgx.exe MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

tkjnbticppc.exe (PID: 7964 cmdline: mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

qbpabupgx.exe (PID: 2804 cmdline: "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

tkjnbticppc.exe (PID: 3112 cmdline: mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

qbpabupgx.exe (PID: 7856 cmdline: "c:\daxjjwrfm\qbpabupgx.exe" MD5: F0D9A1E7385ED0EA2ECE3D30915163D5)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:22.009191+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.9	49816	TCP
2024-11-07T15:49:49.133139+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.9	56356	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:12.799667+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49762	TCP
2024-11-07T15:49:15.328986+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.9	49777	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:12.799667+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.9	49762	TCP
2024-11-07T15:49:15.328986+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.9	49777	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:12.872107+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	54573	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:13.682285+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	51021	UDP
2024-11-07T15:50:28.894624+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	52991	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:12.433600+0100	2815568	1	A Network Trojan was detected	192.168.2.9	49762	18.143.155.63	80	TCP
2024-11-07T15:50:34.229870+0100	2815568	1	A Network Trojan was detected	192.168.2.9	56372	54.244.188.177	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T15:49:12.433600+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.9	49762	18.143.155.63	80	TCP
2024-11-07T15:50:34.229870+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.9	56372	54.244.188.177	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 66HKNPT1fl.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\daxjjwrfm\qbpabupgx.exe	Avira: detection malicious, Label: HEUR/AGEN.1318578
Source: C:\daxjjwrfm\tkjnbticppc.exe	Avira: detection malicious, Label: HEUR/AGEN.1318578
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Avira: detection malicious, Label: HEUR/AGEN.1318578

Multi AV Scanner detection for dropped file

Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	ReversingLabs: Detection: 89%
Source: C:\daxjjwrfm\qbpabupgx.exe	ReversingLabs: Detection: 89%
Source: C:\daxjjwrfm\tkjnbticppc.exe	ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: 66HKNPT1fl.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\daxjjwrfm\qbpabupgx.exe	Joe Sandbox ML: detected
Source: C:\daxjjwrfm\tkjnbticppc.exe	Joe Sandbox ML: detected
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 66HKNPT1fl.exe

Joe Sandbox ML: detected

Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B17040 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		2_2_00B17040
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00517040 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		3_2_00517040

Source: 66HKNPT1fl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000160A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_000160A0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00AF60A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_004F60A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003960A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_003960A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_004F60A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E760A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00E760A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.9:49762 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.9:56372 -> 54.244.188.177:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadernothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net

Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63
Source: Joe Sandbox View	IP Address: 85.214.228.140 85.214.228.140

Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.9:51021
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.9:49762 -> 18.143.155.63:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.9:49777
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.9:49762
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.9:49762
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.9:49777
Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.9:54573
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.9:52991
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.9:56372 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.9:49816
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.9:56356

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_000301B0 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,closesocket,

0_2_000301B0

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net

Source: global traffic	DNS traffic detected: DNS query: heavenstream.net
Source: global traffic	DNS traffic detected: DNS query: leadernothing.net
Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net
Source: global traffic	DNS traffic detected: DNS query: answerbright.net

Source: qbpabupgx.exe, 00000003.00000002.2146734958.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000009.00000002.3176208375.0000000001617000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	File created: C:\Windows\daxjjwrfm\	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	File created: C:\Windows\daxjjwrfm\nozyy3rc2p	Jump to behavior

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

File deleted: C:\Windows\daxjjwrfm\nozyy3rc2p

Jump to behavior

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00033060	0_2_00033060
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00022490	0_2_00022490
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000200C1	0_2_000200C1
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0002B733	0_2_0002B733
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00024420	0_2_00024420
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003A050	0_2_0003A050
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00040850	0_2_00040850
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00015894	0_2_00015894
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000144A0	0_2_000144A0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00025520	0_2_00025520
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00035950	0_2_00035950
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00032950	0_2_00032950
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000345A0	0_2_000345A0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000301B0	0_2_000301B0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000119C0	0_2_000119C0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000385E0	0_2_000385E0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003FE10	0_2_0003FE10
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00024A29	0_2_00024A29
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0002C640	0_2_0002C640
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003EEB0	0_2_0003EEB0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00033AF0	0_2_00033AF0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00015730	0_2_00015730
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00025F50	0_2_00025F50
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003DB50	0_2_0003DB50
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00012F90	0_2_00012F90
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00038BA0	0_2_00038BA0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000277A1	0_2_000277A1
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003ABB0	0_2_0003ABB0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00037BD0	0_2_00037BD0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003CBE0	0_2_0003CBE0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000277F0	0_2_000277F0
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0003B7F0	0_2_0003B7F0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B02490	2_2_00B02490
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B000C8	2_2_00B000C8
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B13060	2_2_00B13060
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1CBE0	2_2_00B1CBE0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1DB50	2_2_00B1DB50
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B0B744	2_2_00B0B744
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF44A0	2_2_00AF44A0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF5894	2_2_00AF5894
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B04420	2_2_00B04420
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1A050	2_2_00B1A050
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B20850	2_2_00B20850
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B101B0	2_2_00B101B0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B145A0	2_2_00B145A0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B185E0	2_2_00B185E0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF19C0	2_2_00AF19C0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B05520	2_2_00B05520
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B15950	2_2_00B15950
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B12950	2_2_00B12950
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1EEB0	2_2_00B1EEB0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B13AF0	2_2_00B13AF0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B04A29	2_2_00B04A29
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1FE10	2_2_00B1FE10
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B0C640	2_2_00B0C640
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1ABB0	2_2_00B1ABB0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B18BA0	2_2_00B18BA0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B077A1	2_2_00B077A1
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF2F90	2_2_00AF2F90
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B077F0	2_2_00B077F0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B1B7F0	2_2_00B1B7F0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B17BD0	2_2_00B17BD0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF5730	2_2_00AF5730
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B05F50	2_2_00B05F50
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00513060	3_2_00513060
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_005000C8	3_2_005000C8
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00502490	3_2_00502490
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_005101B0	3_2_005101B0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051FE10	3_2_0051FE10
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051DB50	3_2_0051DB50
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0050B73A	3_2_0050B73A
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051CBE0	3_2_0051CBE0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051A050	3_2_0051A050
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00520850	3_2_00520850
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00504420	3_2_00504420
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F5894	3_2_004F5894
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F44A0	3_2_004F44A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00515950	3_2_00515950
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00512950	3_2_00512950
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00505520	3_2_00505520
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F19C0	3_2_004F19C0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_005185E0	3_2_005185E0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_005145A0	3_2_005145A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0050C640	3_2_0050C640
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00504A29	3_2_00504A29
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00513AF0	3_2_00513AF0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051EEB0	3_2_0051EEB0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00505F50	3_2_00505F50
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F5730	3_2_004F5730
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00517BD0	3_2_00517BD0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_005077F0	3_2_005077F0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051B7F0	3_2_0051B7F0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F2F90	3_2_004F2F90
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0051ABB0	3_2_0051ABB0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00518BA0	3_2_00518BA0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_005077A1	3_2_005077A1
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B3060	4_2_003B3060
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A2490	4_2_003A2490
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A00C1	4_2_003A00C1
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003AB733	4_2_003AB733
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A4420	4_2_003A4420
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BA050	4_2_003BA050
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003C0850	4_2_003C0850
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003944A0	4_2_003944A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_00395894	4_2_00395894
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A5520	4_2_003A5520
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B5950	4_2_003B5950
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B2950	4_2_003B2950
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B01B0	4_2_003B01B0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B45A0	4_2_003B45A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B85E0	4_2_003B85E0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003919C0	4_2_003919C0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A4A29	4_2_003A4A29
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BFE10	4_2_003BFE10
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003AC640	4_2_003AC640
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BEEB0	4_2_003BEEB0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B3AF0	4_2_003B3AF0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_00395730	4_2_00395730
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A5F50	4_2_003A5F50
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BDB50	4_2_003BDB50
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BABB0	4_2_003BABB0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B8BA0	4_2_003B8BA0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A77A1	4_2_003A77A1
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_00392F90	4_2_00392F90
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003A77F0	4_2_003A77F0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BB7F0	4_2_003BB7F0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003BCBE0	4_2_003BCBE0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B7BD0	4_2_003B7BD0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00513060	5_2_00513060
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_005000C8	5_2_005000C8
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00502490	5_2_00502490
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0050B73A	5_2_0050B73A
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051A050	5_2_0051A050
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00520850	5_2_00520850
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00504420	5_2_00504420
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F5894	5_2_004F5894
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F44A0	5_2_004F44A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00515950	5_2_00515950
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00512950	5_2_00512950
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00505520	5_2_00505520
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F19C0	5_2_004F19C0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_005185E0	5_2_005185E0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_005101B0	5_2_005101B0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_005145A0	5_2_005145A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0050C640	5_2_0050C640
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051FE10	5_2_0051FE10
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00504A29	5_2_00504A29
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00513AF0	5_2_00513AF0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051EEB0	5_2_0051EEB0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00505F50	5_2_00505F50
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051DB50	5_2_0051DB50
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F5730	5_2_004F5730
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00517BD0	5_2_00517BD0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_005077F0	5_2_005077F0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051B7F0	5_2_0051B7F0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051CBE0	5_2_0051CBE0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F2F90	5_2_004F2F90
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0051ABB0	5_2_0051ABB0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00518BA0	5_2_00518BA0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_005077A1	5_2_005077A1
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E800C8	10_2_00E800C8
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E93060	10_2_00E93060
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E82490	10_2_00E82490
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E8B744	10_2_00E8B744
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E75894	10_2_00E75894
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9A050	10_2_00E9A050
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00EA0850	10_2_00EA0850
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E719C0	10_2_00E719C0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E901B0	10_2_00E901B0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E95950	10_2_00E95950
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E92950	10_2_00E92950
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E93AF0	10_2_00E93AF0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E84A29	10_2_00E84A29
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9CBE0	10_2_00E9CBE0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E97BD0	10_2_00E97BD0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E98BA0	10_2_00E98BA0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9ABB0	10_2_00E9ABB0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9DB50	10_2_00E9DB50
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E744A0	10_2_00E744A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E84420	10_2_00E84420
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E985E0	10_2_00E985E0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E945A0	10_2_00E945A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E85520	10_2_00E85520
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9EEB0	10_2_00E9EEB0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E8C640	10_2_00E8C640
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9FE10	10_2_00E9FE10
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E877F0	10_2_00E877F0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E9B7F0	10_2_00E9B7F0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E877A1	10_2_00E877A1
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E72F90	10_2_00E72F90
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E85F50	10_2_00E85F50
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E75730	10_2_00E75730

Source: 66HKNPT1fl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 66HKNPT1fl.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ew3dvaplid9hjn8.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qbpabupgx.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tkjnbticppc.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@14/5@335/4

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00028200
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_00B08200
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	3_2_00508200
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_003A8200
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	5_2_00508200
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00E88200

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_0002C250 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_0002C250

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_00035010 StartServiceCtrlDispatcherA,

0_2_00035010

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00035010 StartServiceCtrlDispatcherA,	0_2_00035010
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00B15010 StartServiceCtrlDispatcherA,	2_2_00B15010
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_00515010 StartServiceCtrlDispatcherA,	3_2_00515010
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003B5010 StartServiceCtrlDispatcherA,	4_2_003B5010
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_00515010 StartServiceCtrlDispatcherA,	5_2_00515010
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E95010 StartServiceCtrlDispatcherA,	10_2_00E95010

Source: C:\daxjjwrfm\qbpabupgx.exe

Mutant created: NULL

Source: 66HKNPT1fl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 66HKNPT1fl.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

File read: C:\Users\user\Desktop\66HKNPT1fl.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\66HKNPT1fl.exe "C:\Users\user\Desktop\66HKNPT1fl.exe"
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Process created: C:\daxjjwrfm\ew3dvaplid9hjn8.exe "C:\daxjjwrfm\ew3dvaplid9hjn8.exe"
Source: unknown	Process created: C:\daxjjwrfm\qbpabupgx.exe C:\daxjjwrfm\qbpabupgx.exe
Source: C:\daxjjwrfm\qbpabupgx.exe	Process created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Process created: C:\daxjjwrfm\qbpabupgx.exe "C:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\tkjnbticppc.exe	Process created: C:\daxjjwrfm\qbpabupgx.exe "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\qbpabupgx.exe	Process created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\daxjjwrfm\tkjnbticppc.exe	Process created: C:\daxjjwrfm\qbpabupgx.exe "c:\daxjjwrfm\qbpabupgx.exe"
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Process created: C:\daxjjwrfm\ew3dvaplid9hjn8.exe "C:\daxjjwrfm\ew3dvaplid9hjn8.exe"	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Process created: C:\daxjjwrfm\qbpabupgx.exe "C:\daxjjwrfm\qbpabupgx.exe"	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Process created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	Process created: C:\daxjjwrfm\qbpabupgx.exe "c:\daxjjwrfm\qbpabupgx.exe"	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Process created: C:\daxjjwrfm\tkjnbticppc.exe mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	Process created: C:\daxjjwrfm\qbpabupgx.exe "c:\daxjjwrfm\qbpabupgx.exe"	Jump to behavior

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_0003DB50 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

0_2_0003DB50

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_00018075 push edi; iretd	0_2_00018082
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_0001948D push ebx; ret	0_2_0001949F
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF948D push ebx; ret	2_2_00AF949F
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF8075 push edi; iretd	2_2_00AF8082
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F8075 push edi; iretd	3_2_004F8082
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F948D push ebx; ret	3_2_004F949F
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_0050E33C pushfd ; ret	3_2_0050E341
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_00398075 push edi; iretd	4_2_00398082
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_0039948D push ebx; ret	4_2_0039949F
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F8075 push edi; iretd	5_2_004F8082
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F948D push ebx; ret	5_2_004F949F
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_0050E33C pushfd ; ret	5_2_0050E341
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E78075 push edi; iretd	10_2_00E78082
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E8E340 pushfd ; ret	10_2_00E8E341
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E7948D push ebx; ret	10_2_00E7949F

Source: 66HKNPT1fl.exe	Static PE information: section name: .text entropy: 6.914886364886215
Source: ew3dvaplid9hjn8.exe.0.dr	Static PE information: section name: .text entropy: 6.914886364886215
Source: qbpabupgx.exe.2.dr	Static PE information: section name: .text entropy: 6.914886364886215
Source: tkjnbticppc.exe.3.dr	Static PE information: section name: .text entropy: 6.914886364886215

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	File created: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Jump to dropped file
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	File created: C:\daxjjwrfm\qbpabupgx.exe	Jump to dropped file
Source: C:\daxjjwrfm\qbpabupgx.exe	File created: C:\daxjjwrfm\tkjnbticppc.exe	Jump to dropped file

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_00035010 StartServiceCtrlDispatcherA,

0_2_00035010

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	0_2_0003A050
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_00B1A050
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	3_2_0051A050
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_003BA050
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	5_2_0051A050
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_00E9A050

Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_00B1DB50
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		3_2_0051DB50

Source: C:\daxjjwrfm\tkjnbticppc.exe	Window / User API: threadDelayed 619	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	Window / User API: threadDelayed 1255	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	Window / User API: threadDelayed 596	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe	Window / User API: threadDelayed 1278	Jump to behavior

Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_2-9494
Source: C:\daxjjwrfm\qbpabupgx.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_5-8346
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-9462
Source: C:\daxjjwrfm\tkjnbticppc.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_4-9471

Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_2-7971
Source: C:\daxjjwrfm\tkjnbticppc.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_4-8225
Source: C:\daxjjwrfm\qbpabupgx.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_3-7288
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_0-8538
Source: C:\daxjjwrfm\qbpabupgx.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_3-7267

Source: C:\daxjjwrfm\qbpabupgx.exe TID: 7972	Thread sleep time: -37774s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7968	Thread sleep count: 619 > 30	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7968	Thread sleep time: -619000s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7968	Thread sleep count: 1255 > 30	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 7968	Thread sleep time: -1255000s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 2716	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 2316	Thread sleep time: -39996s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe TID: 2716	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 3420	Thread sleep count: 596 > 30	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 3420	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 3420	Thread sleep count: 1278 > 30	Jump to behavior
Source: C:\daxjjwrfm\tkjnbticppc.exe TID: 3420	Thread sleep time: -1278000s >= -30000s	Jump to behavior

Source: C:\daxjjwrfm\qbpabupgx.exe	Last function: Thread delayed
Source: C:\daxjjwrfm\qbpabupgx.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	Code function: 0_2_000160A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_000160A0
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	Code function: 2_2_00AF60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00AF60A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 3_2_004F60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_004F60A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 4_2_003960A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_003960A0
Source: C:\daxjjwrfm\qbpabupgx.exe	Code function: 5_2_004F60A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_004F60A0
Source: C:\daxjjwrfm\tkjnbticppc.exe	Code function: 10_2_00E760A0 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00E760A0

Source: C:\daxjjwrfm\qbpabupgx.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\daxjjwrfm\qbpabupgx.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: ew3dvaplid9hjn8.exe, 00000002.00000002.1388727341.000000000054E000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000003.00000002.2146734958.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000009.00000002.3176208375.0000000001617000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-8009
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-7972
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-8027
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-8136
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-8173
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-8125
Source: C:\Users\user\Desktop\66HKNPT1fl.exe	API call chain: ExitProcess graph end node	graph_0-7954
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	API call chain: ExitProcess graph end node	graph_2-8018
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	API call chain: ExitProcess graph end node	graph_2-8004
Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe	API call chain: ExitProcess graph end node	graph_2-7978
Source: C:\daxjjwrfm\qbpabupgx.exe	API call chain: ExitProcess graph end node	graph_3-7927
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node	graph_4-8138
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node	graph_4-8102
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node	graph_4-8158
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node	graph_4-8084
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node	graph_4-8127
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node
Source: C:\daxjjwrfm\tkjnbticppc.exe	API call chain: ExitProcess graph end node

Source: C:\daxjjwrfm\qbpabupgx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_0003DB50 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

0_2_0003DB50

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_0002C520 GetProcessHeap,RtlFreeHeap,

0_2_0002C520

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_0003C640 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0003C640

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_000399B0 GetSystemTime,GetTickCount,

0_2_000399B0

Source: C:\Users\user\Desktop\66HKNPT1fl.exe

Code function: 0_2_00022490 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

0_2_00022490

Source: C:\daxjjwrfm\ew3dvaplid9hjn8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	4 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
66HKNPT1fl.exe	89%	ReversingLabs	Win32.Trojan.Bayrob
66HKNPT1fl.exe	100%	Avira	HEUR/AGEN.1318578
66HKNPT1fl.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\daxjjwrfm\qbpabupgx.exe	100%	Avira	HEUR/AGEN.1318578
C:\daxjjwrfm\tkjnbticppc.exe	100%	Avira	HEUR/AGEN.1318578
C:\daxjjwrfm\ew3dvaplid9hjn8.exe	100%	Avira	HEUR/AGEN.1318578
C:\daxjjwrfm\qbpabupgx.exe	100%	Joe Sandbox ML
C:\daxjjwrfm\tkjnbticppc.exe	100%	Joe Sandbox ML
C:\daxjjwrfm\ew3dvaplid9hjn8.exe	100%	Joe Sandbox ML
C:\daxjjwrfm\ew3dvaplid9hjn8.exe	89%	ReversingLabs	Win32.Trojan.Bayrob
C:\daxjjwrfm\qbpabupgx.exe	89%	ReversingLabs	Win32.Trojan.Bayrob
C:\daxjjwrfm\tkjnbticppc.exe	89%	ReversingLabs	Win32.Trojan.Bayrob

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	high
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
returnbottle.net	18.143.155.63	true	false	high
pleasantinstead.net	18.143.155.63	true	false	high
forwardpeople.net	unknown	unknown	true	unknown
degreeanother.net	unknown	unknown	false	high
degreeexplain.net	unknown	unknown	true	unknown
heaveninside.net	unknown	unknown	true	unknown
answerappear.net	unknown	unknown	false	high
heavybusiness.net	unknown	unknown	true	unknown
pleasantinside.net	unknown	unknown	true	unknown
requirebusiness.net	unknown	unknown	false	high
forwardinside.net	unknown	unknown	true	unknown
glassmanner.net	unknown	unknown	false	high
answerexplain.net	unknown	unknown	true	unknown
orderinside.net	unknown	unknown	true	unknown
variousappear.net	unknown	unknown	true	unknown
returnbright.net	unknown	unknown	true	unknown
difficultanother.net	unknown	unknown	false	high
heavyinside.net	unknown	unknown	true	unknown
forwardready.net	unknown	unknown	true	unknown
glassdaughter.net	unknown	unknown	true	unknown
necessarymanner.net	unknown	unknown	false	high
leadernothing.net	unknown	unknown	false	high
answeranother.net	unknown	unknown	false	high
leadermanner.net	unknown	unknown	false	high
heavybottle.net	unknown	unknown	false	high
heavenbright.net	unknown	unknown	true	unknown
heavydivide.net	unknown	unknown	false	high
degreebrown.net	unknown	unknown	true	unknown
gentleinstead.net	unknown	unknown	true	unknown
glassanother.net	unknown	unknown	false	high
heavenanother.net	unknown	unknown	false	high
difficultmanner.net	unknown	unknown	false	high
glassexplain.net	unknown	unknown	true	unknown
requireinside.net	unknown	unknown	true	unknown
heavenexplain.net	unknown	unknown	true	unknown
forwardbusiness.net	unknown	unknown	false	high
difficultexplain.net	unknown	unknown	true	unknown
gentleappear.net	unknown	unknown	true	unknown
pleasantbright.net	unknown	unknown	true	unknown
returnexplain.net	unknown	unknown	true	unknown
gentlemanner.net	unknown	unknown	true	unknown
answerdaughter.net	unknown	unknown	true	unknown
heardinside.net	unknown	unknown	true	unknown
requiremanner.net	unknown	unknown	false	high
gentleexplain.net	unknown	unknown	true	unknown
glassappear.net	unknown	unknown	false	high
necessaryanother.net	unknown	unknown	false	high
glassinside.net	unknown	unknown	true	unknown
difficultbright.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	true	unknown
requireinstead.net	unknown	unknown	true	unknown
necessaryinside.net	unknown	unknown	true	unknown
returndivide.net	unknown	unknown	false	high
heardinstead.net	unknown	unknown	true	unknown
variousbright.net	unknown	unknown	true	unknown
degreebusiness.net	unknown	unknown	false	high
answerbusiness.net	unknown	unknown	false	high
heavenbusiness.net	unknown	unknown	true	unknown
gentledivide.net	unknown	unknown	false	high
variousinstead.net	unknown	unknown	true	unknown
gentlestream.net	unknown	unknown	false	high
pleasantmanner.net	unknown	unknown	false	high
necessaryappear.net	unknown	unknown	false	high
pleasantbusiness.net	unknown	unknown	false	high
heardbright.net	unknown	unknown	true	unknown
heavenbottle.net	unknown	unknown	false	high
heavynothing.net	unknown	unknown	false	high
gentlebusiness.net	unknown	unknown	true	unknown
ordermanner.net	unknown	unknown	false	high
leaderbottle.net	unknown	unknown	false	high
pleasantanother.net	unknown	unknown	false	high
heavyanother.net	unknown	unknown	true	unknown
degreeinstead.net	unknown	unknown	true	unknown
degreepeople.net	unknown	unknown	true	unknown
answerready.net	unknown	unknown	true	unknown
difficultbrown.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	true	unknown
heavennothing.net	unknown	unknown	false	high
returninside.net	unknown	unknown	true	unknown
forwardbright.net	unknown	unknown	true	unknown
difficultinside.net	unknown	unknown	true	unknown
heavybright.net	unknown	unknown	true	unknown
leaderanother.net	unknown	unknown	false	high
returninstead.net	unknown	unknown	true	unknown
difficultinstead.net	unknown	unknown	true	unknown
heavenappear.net	unknown	unknown	true	unknown
answerinside.net	unknown	unknown	true	unknown
degreebright.net	unknown	unknown	true	unknown
forwardbrown.net	unknown	unknown	true	unknown
heavyinstead.net	unknown	unknown	true	unknown
gentleinside.net	unknown	unknown	true	unknown
heardexplain.net	unknown	unknown	true	unknown
heavyappear.net	unknown	unknown	true	unknown
answerpeople.net	unknown	unknown	true	unknown
pleasantexplain.net	unknown	unknown	true	unknown
requireexplain.net	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	qbpabupgx.exe, 00000003.00000002.2146734958.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, qbpabupgx.exe, 00000009.00000002.3176208375.0000000001617000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551208
Start date and time:	2024-11-07 15:48:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	66HKNPT1fl.exe renamed because original name is a hash value
Original Sample Name:	93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@14/5@335/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 85 Number of non-executed functions: 110
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 66HKNPT1fl.exe

Simulations

Behavior and APIs

Time	Type	Description
09:49:39	API Interceptor	3687x Sleep call for process: tkjnbticppc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.143.155.63	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
85.214.228.140	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	degreedaughter.net/index.php
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	dlynankz.biz/mfjpaqkdwglsvxqo
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	dlynankz.biz/rgkgvuyxljjatio
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	dlynankz.biz/pio
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	dlynankz.biz/og

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
degreedaughter.net	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
s-part-0017.t-0009.t-msedge.net	https://eu.docworkspace.com/d/sIGWvrvOeAYXvpLkG	Get hash	malicious	Unknown	Browse	13.107.246.45
	Q7oJsypKoV.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	aAr67hajkj.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://app.smartsheet.com/b/form/d72b00b027df4e38a9b052ac176790d8	Get hash	malicious	Unknown	Browse	13.107.246.45
	4fDCjpuTvi.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	cONc2eILoR.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
7450.bodis.com	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	ch89yHIa99.exe	Get hash	malicious	Ducktail	Browse	13.35.58.111
	ub7ZX9i3k6.exe	Get hash	malicious	Ducktail	Browse	13.35.58.86
	uupEsxBhAI.exe	Get hash	malicious	Ducktail	Browse	13.35.58.78
STRATOSTRATOAGDE	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	http://googe.de	Get hash	malicious	Unknown	Browse	85.214.62.112
	debug.dbg.elf	Get hash	malicious	Mirai	Browse	85.215.233.6
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	81.169.145.95
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	85.214.228.140
BODIS-NJUS	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DBROG0eWH7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Wc7HGBGZfE.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
AMAZON-02US	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	ch89yHIa99.exe	Get hash	malicious	Ducktail	Browse	13.35.58.111
	ub7ZX9i3k6.exe	Get hash	malicious	Ducktail	Browse	13.35.58.86
	uupEsxBhAI.exe	Get hash	malicious	Ducktail	Browse	13.35.58.78

Process:	C:\Users\user\Desktop\66HKNPT1fl.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:ej:ej
MD5:	2D0985C59DB9049A2394A00B369922BA
SHA1:	CDC3557373CD4FB044D4D63C30DC1C07FCE6EC97
SHA-256:	A22E9689649DCADDAB2A6FCE1A88B715EC53B59E48FD29B526E16E7FFA8A0CA7
SHA-512:	C2119D490AC9105DC0E488CDC1A6397E0F4F20AF9B60EF02164C1989B8B5DAD0F4F478DF909DB528E68F77087C2875E60A6FCEB7072E67C59B938F48B6A41283
Malicious:	false
Reputation:	low
Preview:	..H{y._J

C:\daxjjwrfm\ew3dvaplid9hjn8.exe

Download File

Process:	C:\Users\user\Desktop\66HKNPT1fl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248320
Entropy (8bit):	7.1562498967433505
Encrypted:	false
SSDEEP:	3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
MD5:	F0D9A1E7385ED0EA2ECE3D30915163D5
SHA1:	FA25BB798E084DDFA0AD97B659B49A405FA19B22
SHA-256:	93469D74887267A8FBEED3A59094DDFBE12C991D800B4011B1CE5BE62F6E27F3
SHA-512:	50D640BB92E2E98AFD47D14DFAB9855D9F9C2D2F9CF7346FFF6F69B195F8A98232A9BCA964CF51C384F389B4FACD3CE9577E739BDF709D1F2E918A2EBB408C26
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]..]..].V&..]..\..].....].....].Rich..].........................PE..L...d_5S.....................@.......m....... ....@..........................p............@.................................\"..P...............................tu................................................... ..h............................text............................... ..`.rdata....... ......................@..@.data........0...>..................@....reloc...v.......x...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\daxjjwrfm\nozyy3rc2p

Download File

Process:	C:\Users\user\Desktop\66HKNPT1fl.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:ej:ej
MD5:	2D0985C59DB9049A2394A00B369922BA
SHA1:	CDC3557373CD4FB044D4D63C30DC1C07FCE6EC97
SHA-256:	A22E9689649DCADDAB2A6FCE1A88B715EC53B59E48FD29B526E16E7FFA8A0CA7
SHA-512:	C2119D490AC9105DC0E488CDC1A6397E0F4F20AF9B60EF02164C1989B8B5DAD0F4F478DF909DB528E68F77087C2875E60A6FCEB7072E67C59B938F48B6A41283
Malicious:	false
Preview:	..H{y._J

C:\daxjjwrfm\qbpabupgx.exe

Download File

Process:	C:\daxjjwrfm\ew3dvaplid9hjn8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248320
Entropy (8bit):	7.1562498967433505
Encrypted:	false
SSDEEP:	3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
MD5:	F0D9A1E7385ED0EA2ECE3D30915163D5
SHA1:	FA25BB798E084DDFA0AD97B659B49A405FA19B22
SHA-256:	93469D74887267A8FBEED3A59094DDFBE12C991D800B4011B1CE5BE62F6E27F3
SHA-512:	50D640BB92E2E98AFD47D14DFAB9855D9F9C2D2F9CF7346FFF6F69B195F8A98232A9BCA964CF51C384F389B4FACD3CE9577E739BDF709D1F2E918A2EBB408C26
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]..]..].V&..]..\..].....].....].Rich..].........................PE..L...d_5S.....................@.......m....... ....@..........................p............@.................................\"..P...............................tu................................................... ..h............................text............................... ..`.rdata....... ......................@..@.data........0...>..................@....reloc...v.......x...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\daxjjwrfm\tkjnbticppc.exe

Download File

Process:	C:\daxjjwrfm\qbpabupgx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248320
Entropy (8bit):	7.1562498967433505
Encrypted:	false
SSDEEP:	3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
MD5:	F0D9A1E7385ED0EA2ECE3D30915163D5
SHA1:	FA25BB798E084DDFA0AD97B659B49A405FA19B22
SHA-256:	93469D74887267A8FBEED3A59094DDFBE12C991D800B4011B1CE5BE62F6E27F3
SHA-512:	50D640BB92E2E98AFD47D14DFAB9855D9F9C2D2F9CF7346FFF6F69B195F8A98232A9BCA964CF51C384F389B4FACD3CE9577E739BDF709D1F2E918A2EBB408C26
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]..]..].V&..]..\..].....].....].Rich..].........................PE..L...d_5S.....................@.......m....... ....@..........................p............@.................................\"..P...............................tu................................................... ..h............................text............................... ..`.rdata....... ......................@..@.data........0...>..................@....reloc...v.......x...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1562498967433505
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	66HKNPT1fl.exe
File size:	248'320 bytes
MD5:	f0d9a1e7385ed0ea2ece3d30915163d5
SHA1:	fa25bb798e084ddfa0ad97b659b49a405fa19b22
SHA256:	93469d74887267a8fbeed3a59094ddfbe12c991d800b4011b1ce5be62f6e27f3
SHA512:	50d640bb92e2e98afd47d14dfab9855d9f9c2d2f9cf7346fff6f69b195f8a98232a9bca964cf51c384f389b4facd3ce9577e739bdf709d1f2e918a2ebb408c26
SSDEEP:	3072:r/FjWEUzcSG8sGAVlElIY68MjAshfv6FKzFn8kysCdxYcYQ6OZadi6IyngAUexv6:ZF86JOvshn6FulCjl6cMWyJip
TLSH:	FE34AD66D6100137DC5125FD866C3BB2EA5E9278BF1811C3839636E82CB0AD9DA3774F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]..V&...]...\...].......].......].Rich..].........................PE..L...d_5S.....................@.......m.....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x426d10
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x53355F64 [Fri Mar 28 11:39:16 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	24940cd2712c7c6b52de6089584e9809

Entrypoint Preview

Instruction
mov ax, word ptr [00447212h]
mov ecx, dword ptr [0043CA38h]
cwde
push esi
or esi, FFFFFFFFh
add word ptr [00447212h], si
add ecx, eax
cmp ecx, B13E0982h
jl 00007F7F65363D6Bh
mov dx, word ptr [0044DE84h]
mov ecx, dword ptr [00444F1Ch]
movsx eax, dx
and ecx, eax
mov word ptr [0044DE84h], cx
call 00007F7F6533FEF5h
add dword ptr [0043DF88h], DEFAFFFCh
call 00007F7F6533F0D6h
add dword ptr [00441E54h], esi
inc word ptr [0044C23Eh]
mov dx, word ptr [0044C23Eh]
mov ecx, dword ptr [00441E54h]
movsx eax, dx
add eax, 6DA8752Dh
or ecx, eax
cmp ecx, 40440043h
jnle 00007F7F65363D7Ch
mov eax, dword ptr [004381ECh]
mov edx, dword ptr [00438A5Ch]
and eax, F5B7F8B7h
xor eax, C6284EF0h
sub edx, 4E4EEEC7h
cmp eax, edx
jnl 00007F7F65363D5Dh
mov eax, dword ptr [004432A4h]
mov ecx, dword ptr [0044634Ch]
push 00432170h
push 00432168h
call 00007F7F65362391h
and dword ptr [00443E18h], 6DD9F72Ah
add esp, 08h
call 00007F7F653555DFh
mov ax, word ptr [eax]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3225c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4f000	0x7574	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x302ca	0x30400	21f0700076e95abb4de47cbbef8cda48	False	0.7262437257124352	data	6.914886364886215	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa04	0xc00	fbf38fd25ffe3b995354a30109bba30b	False	0.3968098958333333	data	4.798427724315568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x33000	0x1bb84	0x3e00	8fb1345fac8c46c706ce75db7ee26be4	False	0.9133064516129032	data	7.277764464021273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4f000	0x76c8	0x7800	0e5310d3716de90a99d1ab24adebaa09	False	0.7573893229166667	data	6.814004846803548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	UpdateColors, GetBkColor, GetFontUnicodeRanges, GetFontLanguageInfo, GetTextCharset, SetTextJustification, GetTextAlign, GetStretchBltMode, SetTextAlign, GetClipRgn, GetSystemPaletteUse, GetRandomRgn, SetPixel, GetPolyFillMode, GetDCPenColor, SetTextColor, GetPixelFormat, GetMetaRgn, GetNearestColor, GetTextColor, GetNearestPaletteIndex, GetDeviceCaps, GetMapMode, GetTextCharsetInfo, GetObjectType, GetGraphicsMode, GetTextCharacterExtra
USER32.dll	SetFocus, LoadIconA, DrawTextA, GetDlgItem, GetDlgItemInt, GetPropA, GetMenuItemID, EndPaint, GetWindowDC, EnableWindow, SetWindowTextA, GetInputState, GetMenu, MoveWindow, CheckDlgButton, GetMenuCheckMarkDimensions, EndDialog, WindowFromDC, RemovePropA, IsWindowUnicode, SetDlgItemTextA, PostMessageA, GetScrollPos, BeginPaint, SendMessageA, IsWindowEnabled, GetWindowContextHelpId, GetWindowLongA, GetKeyboardType, GetMenuContextHelpId, GetMenuItemCount
KERNEL32.dll	GetProcAddress, GetFileType, GetCurrentProcessId, CloseHandle, GlobalHandle, GetCurrentThreadId, IsDebuggerPresent, SetFilePointer, IsProcessorFeaturePresent, LocalFlags, LockResource, GetCurrentProcess, GetModuleHandleA, MoveFileA, DeleteFileA, QueryPerformanceCounter, GlobalSize, GetTickCount, GlobalFlags, GetFileTime, GetLastError, FindResourceA, FindClose, FlushFileBuffers, GlobalAlloc, LoadResource, GetStdHandle, GetProcessHeap, HeapAlloc

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T15:49:12.433600+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.9	49762	18.143.155.63	80	TCP
2024-11-07T15:49:12.433600+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.9	49762	18.143.155.63	80	TCP
2024-11-07T15:49:12.799667+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.9	49762	TCP
2024-11-07T15:49:12.799667+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.9	49762	TCP
2024-11-07T15:49:12.872107+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.9	54573	UDP
2024-11-07T15:49:13.682285+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.9	51021	UDP
2024-11-07T15:49:15.328986+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.9	49777	TCP
2024-11-07T15:49:15.328986+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.9	49777	TCP
2024-11-07T15:49:22.009191+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.9	49816	TCP
2024-11-07T15:49:49.133139+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.9	56356	TCP
2024-11-07T15:50:28.894624+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.9	52991	UDP
2024-11-07T15:50:34.229870+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.9	56372	54.244.188.177	80	TCP
2024-11-07T15:50:34.229870+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.9	56372	54.244.188.177	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:49:10.000360966 CET	49756	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:10.005685091 CET	80	49756	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:10.005795956 CET	49756	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:10.005867958 CET	49756	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:10.011821032 CET	80	49756	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:10.634885073 CET	80	49756	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:10.634932995 CET	80	49756	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:10.634977102 CET	49756	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:10.636579037 CET	80	49756	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:10.636640072 CET	49756	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:10.636694908 CET	49756	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:10.641571999 CET	80	49756	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:10.946856976 CET	49762	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:10.951848984 CET	80	49762	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:10.951939106 CET	49762	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:10.952044964 CET	49762	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:10.957076073 CET	80	49762	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:12.381201029 CET	80	49762	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:12.433599949 CET	49762	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:12.799666882 CET	80	49762	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:12.799725056 CET	49762	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:12.799772024 CET	49762	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:12.804661989 CET	80	49762	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:14.058104992 CET	49777	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:49:14.338301897 CET	80	49777	54.244.188.177	192.168.2.9
Nov 7, 2024 15:49:14.338380098 CET	49777	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:49:14.338469028 CET	49777	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:49:14.343326092 CET	80	49777	54.244.188.177	192.168.2.9
Nov 7, 2024 15:49:15.212112904 CET	80	49777	54.244.188.177	192.168.2.9
Nov 7, 2024 15:49:15.261698961 CET	49777	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:49:15.328985929 CET	80	49777	54.244.188.177	192.168.2.9
Nov 7, 2024 15:49:15.331542015 CET	49777	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:49:15.334743977 CET	49777	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:49:15.340593100 CET	80	49777	54.244.188.177	192.168.2.9
Nov 7, 2024 15:49:16.022538900 CET	49788	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:16.028196096 CET	80	49788	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:16.028294086 CET	49788	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:16.028371096 CET	49788	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:16.033754110 CET	80	49788	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:16.689922094 CET	80	49788	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:16.690118074 CET	80	49788	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:16.690181971 CET	49788	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:16.690242052 CET	80	49788	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:16.690290928 CET	49788	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:16.690318108 CET	49788	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:49:16.695178032 CET	80	49788	199.59.243.227	192.168.2.9
Nov 7, 2024 15:49:17.057004929 CET	49796	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:17.061849117 CET	80	49796	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:17.061932087 CET	49796	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:17.062005043 CET	49796	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:17.066814899 CET	80	49796	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:18.545285940 CET	80	49796	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:18.589838028 CET	49796	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:18.957907915 CET	80	49796	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:18.958105087 CET	49796	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:18.958133936 CET	49796	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:49:18.964313984 CET	80	49796	18.143.155.63	192.168.2.9
Nov 7, 2024 15:49:20.286525011 CET	49813	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:49:20.291563988 CET	80	49813	85.214.228.140	192.168.2.9
Nov 7, 2024 15:49:20.291651011 CET	49813	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:49:20.291795969 CET	49813	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:49:20.296802998 CET	80	49813	85.214.228.140	192.168.2.9
Nov 7, 2024 15:49:21.223330975 CET	80	49813	85.214.228.140	192.168.2.9
Nov 7, 2024 15:49:21.223511934 CET	49813	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:49:21.230354071 CET	80	49813	85.214.228.140	192.168.2.9
Nov 7, 2024 15:49:21.230428934 CET	49813	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:50:29.209475040 CET	56370	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:29.214951992 CET	80	56370	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:29.215130091 CET	56370	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:29.215151072 CET	56370	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:29.220613956 CET	80	56370	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:29.886287928 CET	80	56370	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:29.886425018 CET	80	56370	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:29.886573076 CET	56370	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:29.918497086 CET	80	56370	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:29.918574095 CET	56370	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:29.918632984 CET	56370	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:29.923988104 CET	80	56370	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:30.006879091 CET	56371	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:30.012741089 CET	80	56371	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:30.012868881 CET	56371	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:30.012887955 CET	56371	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:30.018049002 CET	80	56371	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:31.451720953 CET	80	56371	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:31.495410919 CET	56371	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:31.875253916 CET	80	56371	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:31.875336885 CET	56371	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:31.875390053 CET	56371	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:31.884190083 CET	80	56371	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:33.288203001 CET	56372	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:50:33.293162107 CET	80	56372	54.244.188.177	192.168.2.9
Nov 7, 2024 15:50:33.293263912 CET	56372	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:50:33.293332100 CET	56372	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:50:33.298163891 CET	80	56372	54.244.188.177	192.168.2.9
Nov 7, 2024 15:50:34.188704967 CET	80	56372	54.244.188.177	192.168.2.9
Nov 7, 2024 15:50:34.229870081 CET	56372	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:50:34.309884071 CET	80	56372	54.244.188.177	192.168.2.9
Nov 7, 2024 15:50:34.309962034 CET	56372	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:50:34.310163975 CET	56372	80	192.168.2.9	54.244.188.177
Nov 7, 2024 15:50:34.314929962 CET	80	56372	54.244.188.177	192.168.2.9
Nov 7, 2024 15:50:34.709233999 CET	56373	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:34.714549065 CET	80	56373	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:34.714624882 CET	56373	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:34.714670897 CET	56373	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:34.719537973 CET	80	56373	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:35.341522932 CET	80	56373	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:35.341628075 CET	80	56373	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:35.341681957 CET	56373	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:35.342463017 CET	80	56373	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:35.342525005 CET	56373	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:35.342592955 CET	56373	80	192.168.2.9	199.59.243.227
Nov 7, 2024 15:50:35.348095894 CET	80	56373	199.59.243.227	192.168.2.9
Nov 7, 2024 15:50:35.661621094 CET	56374	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:35.667201042 CET	80	56374	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:35.667282104 CET	56374	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:35.667350054 CET	56374	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:35.672830105 CET	80	56374	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:37.130047083 CET	80	56374	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:37.182895899 CET	56374	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:37.560125113 CET	80	56374	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:37.560225010 CET	56374	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:37.560306072 CET	56374	80	192.168.2.9	18.143.155.63
Nov 7, 2024 15:50:37.565324068 CET	80	56374	18.143.155.63	192.168.2.9
Nov 7, 2024 15:50:38.799017906 CET	56375	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:50:38.804677963 CET	80	56375	85.214.228.140	192.168.2.9
Nov 7, 2024 15:50:38.804800034 CET	56375	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:50:38.804857969 CET	56375	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:50:38.809886932 CET	80	56375	85.214.228.140	192.168.2.9
Nov 7, 2024 15:50:39.689093113 CET	80	56375	85.214.228.140	192.168.2.9
Nov 7, 2024 15:50:39.689310074 CET	56375	80	192.168.2.9	85.214.228.140
Nov 7, 2024 15:50:39.695172071 CET	80	56375	85.214.228.140	192.168.2.9
Nov 7, 2024 15:50:39.695287943 CET	56375	80	192.168.2.9	85.214.228.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 15:49:08.921267033 CET	57497	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:08.931904078 CET	53	57497	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:08.933347940 CET	63847	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:08.964145899 CET	53	63847	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:08.970968008 CET	56583	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.002372980 CET	53	56583	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.003174067 CET	63708	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.033591032 CET	53	63708	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.034266949 CET	64049	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.043936968 CET	53	64049	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.046657085 CET	51981	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.076956987 CET	53	51981	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.078241110 CET	61211	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.088481903 CET	53	61211	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.089620113 CET	53158	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.121536970 CET	53	53158	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.125448942 CET	62726	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.135730028 CET	53	62726	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.154241085 CET	49343	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.327040911 CET	53	49343	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.514740944 CET	64016	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.525682926 CET	53	64016	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.526369095 CET	57696	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.536647081 CET	53	57696	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.537337065 CET	52319	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.548413992 CET	53	52319	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.549215078 CET	51486	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.581334114 CET	53	51486	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.582099915 CET	53465	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.591408968 CET	53	53465	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:09.592950106 CET	52494	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:09.998265028 CET	53	52494	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:10.638968945 CET	53023	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:10.648808956 CET	53	53023	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:10.649652004 CET	51459	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:10.660598040 CET	53	51459	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:10.661371946 CET	50699	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:10.671106100 CET	53	50699	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:10.671818972 CET	51443	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:10.681005955 CET	53	51443	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:10.681627989 CET	59820	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:10.946204901 CET	53	59820	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.800426960 CET	63929	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.809362888 CET	53	63929	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.810117960 CET	53199	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.819823980 CET	53	53199	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.820542097 CET	55724	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.829943895 CET	53	55724	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.830760002 CET	52296	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.840373039 CET	53	52296	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.841084957 CET	64118	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.850922108 CET	53	64118	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.851712942 CET	62707	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.861757040 CET	53	62707	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.862629890 CET	54573	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.872107029 CET	53	54573	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.872678995 CET	63850	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.907372952 CET	53	63850	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.914840937 CET	60157	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.924952030 CET	53	60157	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.925559998 CET	56075	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.956357002 CET	53	56075	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.957278967 CET	58184	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.990556002 CET	53	58184	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.991750956 CET	50682	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:12.999067068 CET	53	50682	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:12.999700069 CET	59547	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.033221006 CET	53	59547	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.034022093 CET	57806	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.045126915 CET	53	57806	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.045780897 CET	54780	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.055738926 CET	53	54780	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.056420088 CET	51872	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.088169098 CET	53	51872	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.088980913 CET	63201	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.099796057 CET	53	63201	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.100533009 CET	56825	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.132309914 CET	53	56825	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.133116961 CET	52469	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.147173882 CET	53	52469	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.148113012 CET	59432	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.159039974 CET	53	59432	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.159953117 CET	50343	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.169950008 CET	53	50343	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.170764923 CET	60292	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.180988073 CET	53	60292	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.181607962 CET	55720	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.212989092 CET	53	55720	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.213766098 CET	62263	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.244515896 CET	53	62263	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.245229006 CET	57662	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.255616903 CET	53	57662	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.256453037 CET	57131	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.266153097 CET	53	57131	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.273838043 CET	52563	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.284729958 CET	53	52563	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.285363913 CET	55098	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.296072960 CET	53	55098	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.296741009 CET	61585	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.327910900 CET	53	61585	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.328913927 CET	56562	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.360156059 CET	53	56562	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.360985041 CET	52008	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.371160030 CET	53	52008	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.371820927 CET	55205	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.402635098 CET	53	55205	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.403414965 CET	59542	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.434674025 CET	53	59542	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.435302019 CET	49163	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.444956064 CET	53	49163	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.445844889 CET	54187	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.453526974 CET	53	54187	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.454080105 CET	54629	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.463742971 CET	53	54629	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.464221001 CET	63172	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.473587990 CET	53	63172	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.474232912 CET	54681	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.485110044 CET	53	54681	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.485729933 CET	62644	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.516853094 CET	53	62644	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.517602921 CET	61645	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.526807070 CET	53	61645	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.527616978 CET	56574	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.537838936 CET	53	56574	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.538496971 CET	50176	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.549238920 CET	53	50176	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.550060987 CET	55433	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.581810951 CET	53	55433	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.582726955 CET	62656	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.592744112 CET	53	62656	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.593519926 CET	53808	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.603055000 CET	53	53808	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.603871107 CET	51385	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.614237070 CET	53	51385	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.616965055 CET	58690	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.628088951 CET	53	58690	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.628843069 CET	64785	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.638617992 CET	53	64785	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.639239073 CET	58200	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.670644045 CET	53	58200	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.671592951 CET	51021	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.682285070 CET	53	51021	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.682915926 CET	52668	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.695362091 CET	53	52668	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.696273088 CET	52693	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.703493118 CET	53	52693	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.704335928 CET	58361	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:13.713155985 CET	53	58361	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:13.713859081 CET	59449	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:14.057542086 CET	53	59449	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.335496902 CET	53594	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.367727041 CET	53	53594	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.368925095 CET	49191	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.378793955 CET	53	49191	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.379664898 CET	61244	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.410432100 CET	53	61244	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.411297083 CET	52142	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.421564102 CET	53	52142	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.422255993 CET	55766	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.429342031 CET	53	55766	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.430025101 CET	52008	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.440540075 CET	53	52008	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.441163063 CET	59543	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.450385094 CET	53	59543	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.451075077 CET	59049	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.460942030 CET	53	59049	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.461564064 CET	55122	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.471343040 CET	53	55122	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.472067118 CET	62775	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.482135057 CET	53	62775	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.482841015 CET	60868	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.515073061 CET	53	60868	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.515788078 CET	57433	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.525993109 CET	53	57433	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.526658058 CET	59700	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.536242008 CET	53	59700	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.536891937 CET	50439	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.567677975 CET	53	50439	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.568599939 CET	63188	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.578258038 CET	53	63188	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.579072952 CET	63700	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.611049891 CET	53	63700	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.612051964 CET	64172	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.621836901 CET	53	64172	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.622694016 CET	59089	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.631819010 CET	53	59089	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.632766008 CET	51414	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.644392967 CET	53	51414	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.647746086 CET	63135	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.657995939 CET	53	63135	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.681132078 CET	62049	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.712976933 CET	53	62049	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.714056015 CET	55255	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.726629972 CET	53	55255	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.727488041 CET	56303	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.762072086 CET	53	56303	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.763012886 CET	61625	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.774578094 CET	53	61625	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.775341988 CET	55199	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:15.810655117 CET	53	55199	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:15.811594009 CET	55005	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.019627094 CET	53	55005	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.690939903 CET	54223	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.700093031 CET	53	54223	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.700848103 CET	49775	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.710598946 CET	53	49775	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.711560965 CET	52892	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.743125916 CET	53	52892	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.744110107 CET	63479	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.755172014 CET	53	63479	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.755903006 CET	62272	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.765244961 CET	53	62272	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.765861988 CET	65376	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.776339054 CET	53	65376	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.777021885 CET	53549	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.788531065 CET	53	53549	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.789094925 CET	65257	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.820300102 CET	53	65257	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.820897102 CET	55544	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.852547884 CET	53	55544	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.853164911 CET	56708	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:16.865071058 CET	53	56708	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:16.865565062 CET	54132	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:17.056256056 CET	53	54132	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:18.959296942 CET	52856	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:18.993046045 CET	53	52856	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:18.994071960 CET	50745	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.004070044 CET	53	50745	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.004832983 CET	53176	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.038043022 CET	53	53176	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.038866997 CET	64602	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.050812960 CET	53	64602	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.051556110 CET	64316	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.084249020 CET	53	64316	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.085283041 CET	60208	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.097470045 CET	53	60208	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.107765913 CET	61538	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.119432926 CET	53	61538	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.120485067 CET	53696	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.152745008 CET	53	53696	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.153968096 CET	61793	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.191637039 CET	53	61793	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.192814112 CET	50938	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.205260038 CET	53	50938	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.206295013 CET	53536	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.216685057 CET	53	53536	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.217343092 CET	55516	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.228319883 CET	53	55516	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.229280949 CET	55238	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.239236116 CET	53	55238	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.239954948 CET	51024	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.273931980 CET	53	51024	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.274682045 CET	54511	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.285948992 CET	53	54511	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.286657095 CET	59005	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.299053907 CET	53	59005	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.300102949 CET	59781	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.310216904 CET	53	59781	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.310889006 CET	50965	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.475277901 CET	53	50965	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.476666927 CET	59274	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.487433910 CET	53	59274	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.488461018 CET	56086	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.499526978 CET	53	56086	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.500582933 CET	53260	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.509341002 CET	53	53260	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.510128021 CET	51368	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.545067072 CET	53	51368	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.546144009 CET	49384	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.556724072 CET	53	49384	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.557279110 CET	57908	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.569519043 CET	53	57908	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.570133924 CET	58759	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.601066113 CET	53	58759	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.601934910 CET	60037	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.612663031 CET	53	60037	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.613575935 CET	50243	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.649933100 CET	53	50243	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.650908947 CET	58731	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.664751053 CET	53	58731	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.665638924 CET	54187	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.678813934 CET	53	54187	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.679744959 CET	51187	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.692347050 CET	53	51187	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.693254948 CET	58786	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.724493027 CET	53	58786	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.725316048 CET	58573	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.887726068 CET	53	58573	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.888958931 CET	54303	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.920579910 CET	53	54303	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.921819925 CET	49247	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.936417103 CET	53	49247	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.937139988 CET	51529	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.950788975 CET	53	51529	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.951457024 CET	58806	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:19.982711077 CET	53	58806	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:19.983597040 CET	56426	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.015873909 CET	53	56426	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.016810894 CET	54434	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.026814938 CET	53	54434	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.027594090 CET	62358	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.038037062 CET	53	62358	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.038660049 CET	65254	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.050216913 CET	53	65254	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.051012039 CET	53689	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.083918095 CET	53	53689	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.084830046 CET	54458	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.117528915 CET	53	54458	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.118428946 CET	58348	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.127818108 CET	53	58348	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.129400969 CET	50880	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.140700102 CET	53	50880	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.143332005 CET	55508	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.174204111 CET	53	55508	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:20.175358057 CET	57404	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:20.285939932 CET	53	57404	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.224307060 CET	54298	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.256206989 CET	53	54298	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.257157087 CET	50673	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.293313026 CET	53	50673	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.294055939 CET	56746	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.305421114 CET	53	56746	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.306222916 CET	56275	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.315792084 CET	53	56275	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.316474915 CET	56877	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.326724052 CET	53	56877	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.327322960 CET	64763	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.336849928 CET	53	64763	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.337572098 CET	58163	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.347054958 CET	53	58163	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.347692966 CET	64346	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.359325886 CET	53	64346	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.360043049 CET	53020	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.371486902 CET	53	53020	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.372164011 CET	57836	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.404402971 CET	53	57836	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.405139923 CET	63913	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.414870024 CET	53	63913	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:21.415690899 CET	55460	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:21.425367117 CET	53	55460	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:34.356103897 CET	61579	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:49:34.387767076 CET	53	61579	1.1.1.1	192.168.2.9
Nov 7, 2024 15:49:47.473023891 CET	53	62871	162.159.36.2	192.168.2.9
Nov 7, 2024 15:49:48.088494062 CET	53	61856	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.643997908 CET	58296	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.653969049 CET	53	58296	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.655499935 CET	51510	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.819984913 CET	53	51510	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.821135998 CET	54118	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.831336021 CET	53	54118	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.832320929 CET	50579	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.843178988 CET	53	50579	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.851861954 CET	63464	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.882821083 CET	53	63464	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.883897066 CET	52991	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.894623995 CET	53	52991	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.895530939 CET	49671	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.907344103 CET	53	49671	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.908179045 CET	61499	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.917670012 CET	53	61499	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.918661118 CET	53412	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:28.950149059 CET	53	53412	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:28.951003075 CET	53640	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.124773026 CET	53	53640	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.125854969 CET	60474	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.136356115 CET	53	60474	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.137227058 CET	54615	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.169091940 CET	53	54615	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.170145988 CET	50257	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.181204081 CET	53	50257	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.182229996 CET	49647	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.194171906 CET	53	49647	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.195220947 CET	49736	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.205931902 CET	53	49736	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.919358015 CET	52180	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.952070951 CET	53	52180	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.953047991 CET	60029	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.986409903 CET	53	60029	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.987337112 CET	65476	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:29.995012999 CET	53	65476	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:29.995675087 CET	59635	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:30.006134033 CET	53	59635	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.876291990 CET	65002	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.891206026 CET	53	65002	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.892009020 CET	60933	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.906213045 CET	53	60933	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.907500029 CET	54971	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.921438932 CET	53	54971	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.923247099 CET	62095	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.937448025 CET	53	62095	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.938349009 CET	56689	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.951960087 CET	53	56689	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.952721119 CET	64371	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.965872049 CET	53	64371	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.966800928 CET	53591	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.977864981 CET	53	53591	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.978810072 CET	58153	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:31.993380070 CET	53	58153	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:31.994147062 CET	55324	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.005217075 CET	53	55324	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.005917072 CET	52923	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.176177025 CET	53	52923	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.177311897 CET	56647	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.187567949 CET	53	56647	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.188591003 CET	60706	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.200071096 CET	53	60706	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.200965881 CET	54663	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.211034060 CET	53	54663	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.211811066 CET	62191	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.220937014 CET	53	62191	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.221868992 CET	62811	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.232353926 CET	53	62811	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.233222008 CET	57250	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.251966953 CET	53	57250	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.252914906 CET	49949	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.284416914 CET	53	49949	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.285739899 CET	61310	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.296153069 CET	53	61310	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.301851988 CET	62107	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.333589077 CET	53	62107	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.335244894 CET	53263	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.344705105 CET	53	53263	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.346179008 CET	51629	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.356528997 CET	53	51629	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.357232094 CET	62529	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.368113995 CET	53	62529	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.368752003 CET	49826	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.378681898 CET	53	49826	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.379467964 CET	56406	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.389421940 CET	53	56406	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.390126944 CET	53228	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.564840078 CET	53	53228	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.565826893 CET	65464	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.598718882 CET	53	65464	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.599742889 CET	59096	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.611998081 CET	53	59096	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.612946987 CET	57976	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.645318031 CET	53	57976	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.646431923 CET	58754	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.658052921 CET	53	58754	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.658968925 CET	57739	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.691165924 CET	53	57739	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.692106962 CET	64812	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.701761007 CET	53	64812	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.702564001 CET	53078	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.713174105 CET	53	53078	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.713952065 CET	53035	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.746201992 CET	53	53035	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.747205973 CET	60212	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.760406017 CET	53	60212	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.761264086 CET	54378	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.771260977 CET	53	54378	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.771996021 CET	49364	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.782552004 CET	53	49364	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.783183098 CET	60317	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.793657064 CET	53	60317	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.794214010 CET	60321	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.828233957 CET	53	60321	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.829054117 CET	62011	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.859674931 CET	53	62011	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.860400915 CET	59871	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.872077942 CET	53	59871	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.872721910 CET	50695	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.880323887 CET	53	50695	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.880980968 CET	61937	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.911855936 CET	53	61937	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.912775040 CET	59499	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.922612906 CET	53	59499	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.923414946 CET	61875	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.933283091 CET	53	61875	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.934169054 CET	58830	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.943846941 CET	53	58830	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.944681883 CET	59166	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:32.955365896 CET	53	59166	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:32.956319094 CET	55698	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.114674091 CET	53	55698	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:33.115634918 CET	49464	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.145895958 CET	53	49464	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:33.147192955 CET	61559	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.180083990 CET	53	61559	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:33.181061029 CET	53932	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.212579966 CET	53	53932	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:33.213706970 CET	59926	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.244107962 CET	53	59926	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:33.245199919 CET	52246	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.254548073 CET	53	52246	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:33.255373955 CET	56519	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:33.286976099 CET	53	56519	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.311688900 CET	57289	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.342895985 CET	53	57289	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.343866110 CET	49670	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.354720116 CET	53	49670	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.355603933 CET	62582	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.365849018 CET	53	62582	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.366738081 CET	65140	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.377485037 CET	53	65140	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.378931999 CET	54371	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.389022112 CET	53	54371	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.390314102 CET	61715	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.423945904 CET	53	61715	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.425394058 CET	58453	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.435575008 CET	53	58453	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.436862946 CET	50937	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.449079037 CET	53	50937	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.449693918 CET	56102	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.463365078 CET	53	56102	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.463993073 CET	60887	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.474129915 CET	53	60887	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.475320101 CET	64685	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.482825994 CET	53	64685	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.483992100 CET	50667	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.493304968 CET	53	50667	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.494527102 CET	50209	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.504172087 CET	53	50209	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.505343914 CET	55276	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.516905069 CET	53	55276	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.518183947 CET	55807	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.527559042 CET	53	55807	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.528867006 CET	57282	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.538350105 CET	53	57282	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.539561987 CET	61768	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.552236080 CET	53	61768	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.552968979 CET	62990	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.563146114 CET	53	62990	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.563767910 CET	51316	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.573096991 CET	53	51316	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.573663950 CET	50510	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.604914904 CET	53	50510	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.605866909 CET	62271	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.616883993 CET	53	62271	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.617861032 CET	50058	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.627545118 CET	53	50058	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.628468990 CET	60470	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.659864902 CET	53	60470	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.660732031 CET	58170	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.692533970 CET	53	58170	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:34.693517923 CET	57087	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:34.703821898 CET	53	57087	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.343359947 CET	51937	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.376290083 CET	53	51937	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.377374887 CET	56305	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.388245106 CET	53	56305	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.389050007 CET	60260	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.422203064 CET	53	60260	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.423296928 CET	51723	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.591496944 CET	53	51723	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.592715025 CET	61819	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.603549004 CET	53	61819	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.604387045 CET	57660	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.615614891 CET	53	57660	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.616324902 CET	61741	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.626569986 CET	53	61741	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.627197027 CET	53400	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.637120008 CET	53	53400	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.638050079 CET	49790	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.648082972 CET	53	49790	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:35.648731947 CET	50966	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:35.660814047 CET	53	50966	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.561013937 CET	49613	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.592264891 CET	53	49613	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.593314886 CET	49920	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.603421926 CET	53	49920	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.604228973 CET	62634	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.636120081 CET	53	62634	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.641242981 CET	52068	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.675035000 CET	53	52068	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.676139116 CET	56390	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.687894106 CET	53	56390	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.688937902 CET	50561	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.699321985 CET	53	50561	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.699947119 CET	62962	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.710576057 CET	53	62962	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.711091042 CET	57065	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.742435932 CET	53	57065	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.743549109 CET	63947	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.774725914 CET	53	63947	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.775779963 CET	53400	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.946033001 CET	53	53400	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.947151899 CET	61455	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.956563950 CET	53	61455	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.957299948 CET	58201	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:37.967261076 CET	53	58201	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:37.968130112 CET	62277	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.123449087 CET	53	62277	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.126622915 CET	56136	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.134545088 CET	53	56136	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.135523081 CET	53412	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.168044090 CET	53	53412	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.169070959 CET	60669	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.179244041 CET	53	60669	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.180172920 CET	55883	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.189568996 CET	53	55883	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.190388918 CET	59717	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.200556040 CET	53	59717	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.201272011 CET	63496	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.211846113 CET	53	63496	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.212482929 CET	59878	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.223571062 CET	53	59878	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.224168062 CET	57237	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.255503893 CET	53	57237	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.256283998 CET	59907	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.288582087 CET	53	59907	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.289566040 CET	49989	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.300491095 CET	53	49989	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.301239014 CET	62509	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.332783937 CET	53	62509	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.333792925 CET	53648	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.343732119 CET	53	53648	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.344522953 CET	51901	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.356417894 CET	53	51901	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.357244015 CET	52559	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.368357897 CET	53	52559	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.369434118 CET	61513	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.400703907 CET	53	61513	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.401839018 CET	51184	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.413121939 CET	53	51184	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.414071083 CET	54638	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.421547890 CET	53	54638	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.422569036 CET	57975	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.432194948 CET	53	57975	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.433697939 CET	61585	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.605751991 CET	53	61585	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.606673956 CET	55567	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.617182970 CET	53	55567	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.618020058 CET	51086	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.630754948 CET	53	51086	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.631795883 CET	60659	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.640741110 CET	53	60659	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.641505957 CET	52811	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.653247118 CET	53	52811	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.654007912 CET	59575	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.664253950 CET	53	59575	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.665266991 CET	62253	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.676048040 CET	53	62253	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.676968098 CET	61548	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.687436104 CET	53	61548	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.688282967 CET	63013	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.697662115 CET	53	63013	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.698626041 CET	55013	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.709203959 CET	53	55013	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.709966898 CET	52460	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.742444992 CET	53	52460	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.743386984 CET	51410	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.753743887 CET	53	51410	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.754592896 CET	49896	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.786923885 CET	53	49896	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:38.787952900 CET	61422	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:38.798036098 CET	53	61422	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.690022945 CET	51189	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.699424982 CET	53	51189	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.700232029 CET	64495	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.710186005 CET	53	64495	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.710839987 CET	61920	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.721148014 CET	53	61920	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.721745014 CET	56653	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.754653931 CET	53	56653	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.755728006 CET	65019	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.765124083 CET	53	65019	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.765873909 CET	62862	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.797247887 CET	53	62862	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.798103094 CET	61928	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.808159113 CET	53	61928	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.808865070 CET	64057	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.841403008 CET	53	64057	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.842319012 CET	55526	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.851675987 CET	53	55526	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.852355003 CET	59882	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.862873077 CET	53	59882	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.863804102 CET	49476	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.873861074 CET	53	49476	1.1.1.1	192.168.2.9
Nov 7, 2024 15:50:39.885926962 CET	65131	53	192.168.2.9	1.1.1.1
Nov 7, 2024 15:50:39.896914005 CET	53	65131	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 15:49:08.921267033 CET	192.168.2.9	1.1.1.1	0xe894	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:08.933347940 CET	192.168.2.9	1.1.1.1	0xed81	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:08.970968008 CET	192.168.2.9	1.1.1.1	0xc957	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.003174067 CET	192.168.2.9	1.1.1.1	0x7c73	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.034266949 CET	192.168.2.9	1.1.1.1	0xba4	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.046657085 CET	192.168.2.9	1.1.1.1	0x228e	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.078241110 CET	192.168.2.9	1.1.1.1	0x7cec	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.089620113 CET	192.168.2.9	1.1.1.1	0x78c8	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.125448942 CET	192.168.2.9	1.1.1.1	0xab33	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.154241085 CET	192.168.2.9	1.1.1.1	0xcfe5	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.514740944 CET	192.168.2.9	1.1.1.1	0xefff	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.526369095 CET	192.168.2.9	1.1.1.1	0xe820	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.537337065 CET	192.168.2.9	1.1.1.1	0xe2b2	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.549215078 CET	192.168.2.9	1.1.1.1	0xf23b	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.582099915 CET	192.168.2.9	1.1.1.1	0x8f66	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.592950106 CET	192.168.2.9	1.1.1.1	0x64be	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.638968945 CET	192.168.2.9	1.1.1.1	0xe91	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.649652004 CET	192.168.2.9	1.1.1.1	0x3107	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.661371946 CET	192.168.2.9	1.1.1.1	0x75c0	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.671818972 CET	192.168.2.9	1.1.1.1	0x12e9	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.681627989 CET	192.168.2.9	1.1.1.1	0x6c52	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.800426960 CET	192.168.2.9	1.1.1.1	0x6a92	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.810117960 CET	192.168.2.9	1.1.1.1	0x5fe7	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.820542097 CET	192.168.2.9	1.1.1.1	0x996f	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.830760002 CET	192.168.2.9	1.1.1.1	0xc21b	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.841084957 CET	192.168.2.9	1.1.1.1	0xf398	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.851712942 CET	192.168.2.9	1.1.1.1	0xa4e8	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.862629890 CET	192.168.2.9	1.1.1.1	0x851c	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.872678995 CET	192.168.2.9	1.1.1.1	0xb17f	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.914840937 CET	192.168.2.9	1.1.1.1	0xa049	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.925559998 CET	192.168.2.9	1.1.1.1	0x372e	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.957278967 CET	192.168.2.9	1.1.1.1	0x4cb3	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.991750956 CET	192.168.2.9	1.1.1.1	0x7116	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.999700069 CET	192.168.2.9	1.1.1.1	0x99b9	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.034022093 CET	192.168.2.9	1.1.1.1	0x3055	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.045780897 CET	192.168.2.9	1.1.1.1	0x298f	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.056420088 CET	192.168.2.9	1.1.1.1	0x6411	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.088980913 CET	192.168.2.9	1.1.1.1	0x913f	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.100533009 CET	192.168.2.9	1.1.1.1	0x3e4c	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.133116961 CET	192.168.2.9	1.1.1.1	0xf690	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.148113012 CET	192.168.2.9	1.1.1.1	0xb358	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.159953117 CET	192.168.2.9	1.1.1.1	0xb724	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.170764923 CET	192.168.2.9	1.1.1.1	0x1308	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.181607962 CET	192.168.2.9	1.1.1.1	0xeea6	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.213766098 CET	192.168.2.9	1.1.1.1	0xd982	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.245229006 CET	192.168.2.9	1.1.1.1	0x2f0a	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.256453037 CET	192.168.2.9	1.1.1.1	0x8e11	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.273838043 CET	192.168.2.9	1.1.1.1	0x19b2	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.285363913 CET	192.168.2.9	1.1.1.1	0xf69b	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.296741009 CET	192.168.2.9	1.1.1.1	0x2ed6	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.328913927 CET	192.168.2.9	1.1.1.1	0xcb35	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.360985041 CET	192.168.2.9	1.1.1.1	0x445b	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.371820927 CET	192.168.2.9	1.1.1.1	0xf64	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.403414965 CET	192.168.2.9	1.1.1.1	0x2a2a	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.435302019 CET	192.168.2.9	1.1.1.1	0x29f4	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.445844889 CET	192.168.2.9	1.1.1.1	0x16a5	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.454080105 CET	192.168.2.9	1.1.1.1	0x1107	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.464221001 CET	192.168.2.9	1.1.1.1	0x714e	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.474232912 CET	192.168.2.9	1.1.1.1	0xdaf4	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.485729933 CET	192.168.2.9	1.1.1.1	0xb0be	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.517602921 CET	192.168.2.9	1.1.1.1	0xa213	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.527616978 CET	192.168.2.9	1.1.1.1	0x8ef	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.538496971 CET	192.168.2.9	1.1.1.1	0xa852	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.550060987 CET	192.168.2.9	1.1.1.1	0x7b27	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.582726955 CET	192.168.2.9	1.1.1.1	0x728	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.593519926 CET	192.168.2.9	1.1.1.1	0x7640	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.603871107 CET	192.168.2.9	1.1.1.1	0x8927	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.616965055 CET	192.168.2.9	1.1.1.1	0x7d5a	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.628843069 CET	192.168.2.9	1.1.1.1	0x7c17	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.639239073 CET	192.168.2.9	1.1.1.1	0xf18e	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.671592951 CET	192.168.2.9	1.1.1.1	0x94eb	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.682915926 CET	192.168.2.9	1.1.1.1	0xb990	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.696273088 CET	192.168.2.9	1.1.1.1	0x4ad7	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.704335928 CET	192.168.2.9	1.1.1.1	0xd309	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.713859081 CET	192.168.2.9	1.1.1.1	0xa04c	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.335496902 CET	192.168.2.9	1.1.1.1	0x4d4f	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.368925095 CET	192.168.2.9	1.1.1.1	0x14df	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.379664898 CET	192.168.2.9	1.1.1.1	0x7cb1	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.411297083 CET	192.168.2.9	1.1.1.1	0x822e	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.422255993 CET	192.168.2.9	1.1.1.1	0xa93c	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.430025101 CET	192.168.2.9	1.1.1.1	0x5538	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.441163063 CET	192.168.2.9	1.1.1.1	0xc6ae	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.451075077 CET	192.168.2.9	1.1.1.1	0x47de	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.461564064 CET	192.168.2.9	1.1.1.1	0x7af0	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.472067118 CET	192.168.2.9	1.1.1.1	0xb240	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.482841015 CET	192.168.2.9	1.1.1.1	0x16c9	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.515788078 CET	192.168.2.9	1.1.1.1	0x55da	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.526658058 CET	192.168.2.9	1.1.1.1	0x8d06	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.536891937 CET	192.168.2.9	1.1.1.1	0xeba	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.568599939 CET	192.168.2.9	1.1.1.1	0xac	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.579072952 CET	192.168.2.9	1.1.1.1	0x7e60	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.612051964 CET	192.168.2.9	1.1.1.1	0x30f4	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.622694016 CET	192.168.2.9	1.1.1.1	0x8721	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.632766008 CET	192.168.2.9	1.1.1.1	0x3fa0	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.647746086 CET	192.168.2.9	1.1.1.1	0x889b	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.681132078 CET	192.168.2.9	1.1.1.1	0x6cbf	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.714056015 CET	192.168.2.9	1.1.1.1	0x82ca	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.727488041 CET	192.168.2.9	1.1.1.1	0x4c1d	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.763012886 CET	192.168.2.9	1.1.1.1	0xb6ca	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.775341988 CET	192.168.2.9	1.1.1.1	0x712e	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.811594009 CET	192.168.2.9	1.1.1.1	0x36ed	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.690939903 CET	192.168.2.9	1.1.1.1	0x8b6b	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.700848103 CET	192.168.2.9	1.1.1.1	0xff50	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.711560965 CET	192.168.2.9	1.1.1.1	0xcd00	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.744110107 CET	192.168.2.9	1.1.1.1	0x36a0	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.755903006 CET	192.168.2.9	1.1.1.1	0xd13	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.765861988 CET	192.168.2.9	1.1.1.1	0x26ec	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.777021885 CET	192.168.2.9	1.1.1.1	0x2bc1	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.789094925 CET	192.168.2.9	1.1.1.1	0x6c69	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.820897102 CET	192.168.2.9	1.1.1.1	0xa6cc	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.853164911 CET	192.168.2.9	1.1.1.1	0xbb45	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.865565062 CET	192.168.2.9	1.1.1.1	0x9d65	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:18.959296942 CET	192.168.2.9	1.1.1.1	0x1b75	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:18.994071960 CET	192.168.2.9	1.1.1.1	0x17e5	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.004832983 CET	192.168.2.9	1.1.1.1	0x98a4	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.038866997 CET	192.168.2.9	1.1.1.1	0x9c1e	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.051556110 CET	192.168.2.9	1.1.1.1	0x3f56	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.085283041 CET	192.168.2.9	1.1.1.1	0x5d2e	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.107765913 CET	192.168.2.9	1.1.1.1	0x37b4	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.120485067 CET	192.168.2.9	1.1.1.1	0x283f	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.153968096 CET	192.168.2.9	1.1.1.1	0xda1e	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.192814112 CET	192.168.2.9	1.1.1.1	0x3ddc	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.206295013 CET	192.168.2.9	1.1.1.1	0xb5fa	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.217343092 CET	192.168.2.9	1.1.1.1	0x964d	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.229280949 CET	192.168.2.9	1.1.1.1	0x650f	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.239954948 CET	192.168.2.9	1.1.1.1	0xc318	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.274682045 CET	192.168.2.9	1.1.1.1	0xab13	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.286657095 CET	192.168.2.9	1.1.1.1	0x27b1	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.300102949 CET	192.168.2.9	1.1.1.1	0xb0e7	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.310889006 CET	192.168.2.9	1.1.1.1	0x44bd	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.476666927 CET	192.168.2.9	1.1.1.1	0xb788	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.488461018 CET	192.168.2.9	1.1.1.1	0x4ea7	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.500582933 CET	192.168.2.9	1.1.1.1	0x6264	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.510128021 CET	192.168.2.9	1.1.1.1	0x3279	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.546144009 CET	192.168.2.9	1.1.1.1	0xa11f	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.557279110 CET	192.168.2.9	1.1.1.1	0x8232	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.570133924 CET	192.168.2.9	1.1.1.1	0x77af	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.601934910 CET	192.168.2.9	1.1.1.1	0x7c4	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.613575935 CET	192.168.2.9	1.1.1.1	0xc4f6	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.650908947 CET	192.168.2.9	1.1.1.1	0xd15	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.665638924 CET	192.168.2.9	1.1.1.1	0xe24f	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.679744959 CET	192.168.2.9	1.1.1.1	0x3049	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.693254948 CET	192.168.2.9	1.1.1.1	0x917c	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.725316048 CET	192.168.2.9	1.1.1.1	0xb9d0	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.888958931 CET	192.168.2.9	1.1.1.1	0x9a0f	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.921819925 CET	192.168.2.9	1.1.1.1	0x655d	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.937139988 CET	192.168.2.9	1.1.1.1	0x18a1	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.951457024 CET	192.168.2.9	1.1.1.1	0x4879	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.983597040 CET	192.168.2.9	1.1.1.1	0x1841	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.016810894 CET	192.168.2.9	1.1.1.1	0xf0c5	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.027594090 CET	192.168.2.9	1.1.1.1	0x4e5c	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.038660049 CET	192.168.2.9	1.1.1.1	0xc296	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.051012039 CET	192.168.2.9	1.1.1.1	0xf5f0	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.084830046 CET	192.168.2.9	1.1.1.1	0x993	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.118428946 CET	192.168.2.9	1.1.1.1	0xf6c0	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.129400969 CET	192.168.2.9	1.1.1.1	0x532	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.143332005 CET	192.168.2.9	1.1.1.1	0x19e5	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.175358057 CET	192.168.2.9	1.1.1.1	0x8dc7	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.224307060 CET	192.168.2.9	1.1.1.1	0x8245	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.257157087 CET	192.168.2.9	1.1.1.1	0xa0f7	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.294055939 CET	192.168.2.9	1.1.1.1	0xc8ac	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.306222916 CET	192.168.2.9	1.1.1.1	0x5734	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.316474915 CET	192.168.2.9	1.1.1.1	0x7a9b	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.327322960 CET	192.168.2.9	1.1.1.1	0x1f1d	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.337572098 CET	192.168.2.9	1.1.1.1	0x5145	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.347692966 CET	192.168.2.9	1.1.1.1	0x4ae5	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.360043049 CET	192.168.2.9	1.1.1.1	0x36fa	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.372164011 CET	192.168.2.9	1.1.1.1	0x4ffd	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.405139923 CET	192.168.2.9	1.1.1.1	0xf66b	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.415690899 CET	192.168.2.9	1.1.1.1	0x3f0f	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:34.356103897 CET	192.168.2.9	1.1.1.1	0xc299	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.643997908 CET	192.168.2.9	1.1.1.1	0x6253	Standard query (0)	heavenstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.655499935 CET	192.168.2.9	1.1.1.1	0xee61	Standard query (0)	leadernothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.821135998 CET	192.168.2.9	1.1.1.1	0xc080	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.832320929 CET	192.168.2.9	1.1.1.1	0xcdaa	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.851861954 CET	192.168.2.9	1.1.1.1	0x51b4	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.883897066 CET	192.168.2.9	1.1.1.1	0x6787	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.895530939 CET	192.168.2.9	1.1.1.1	0xf613	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.908179045 CET	192.168.2.9	1.1.1.1	0x3753	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.918661118 CET	192.168.2.9	1.1.1.1	0x3dac	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.951003075 CET	192.168.2.9	1.1.1.1	0xaeea	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.125854969 CET	192.168.2.9	1.1.1.1	0xe07f	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.137227058 CET	192.168.2.9	1.1.1.1	0x2e6e	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.170145988 CET	192.168.2.9	1.1.1.1	0x2df9	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.182229996 CET	192.168.2.9	1.1.1.1	0xaa37	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.195220947 CET	192.168.2.9	1.1.1.1	0xc729	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.919358015 CET	192.168.2.9	1.1.1.1	0xa8a3	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.953047991 CET	192.168.2.9	1.1.1.1	0x17ae	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.987337112 CET	192.168.2.9	1.1.1.1	0xb22c	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.995675087 CET	192.168.2.9	1.1.1.1	0x7964	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.876291990 CET	192.168.2.9	1.1.1.1	0xe0a2	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.892009020 CET	192.168.2.9	1.1.1.1	0xcaf7	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.907500029 CET	192.168.2.9	1.1.1.1	0x1364	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.923247099 CET	192.168.2.9	1.1.1.1	0x5cf	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.938349009 CET	192.168.2.9	1.1.1.1	0xca94	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.952721119 CET	192.168.2.9	1.1.1.1	0x7e12	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.966800928 CET	192.168.2.9	1.1.1.1	0x606d	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.978810072 CET	192.168.2.9	1.1.1.1	0xfe8d	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.994147062 CET	192.168.2.9	1.1.1.1	0xbb63	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.005917072 CET	192.168.2.9	1.1.1.1	0x797c	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.177311897 CET	192.168.2.9	1.1.1.1	0xd558	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.188591003 CET	192.168.2.9	1.1.1.1	0xb6f7	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.200965881 CET	192.168.2.9	1.1.1.1	0xe1fb	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.211811066 CET	192.168.2.9	1.1.1.1	0x9c6e	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.221868992 CET	192.168.2.9	1.1.1.1	0xbea0	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.233222008 CET	192.168.2.9	1.1.1.1	0xf3d5	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.252914906 CET	192.168.2.9	1.1.1.1	0x8234	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.285739899 CET	192.168.2.9	1.1.1.1	0x1a08	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.301851988 CET	192.168.2.9	1.1.1.1	0x663c	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.335244894 CET	192.168.2.9	1.1.1.1	0x22cb	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.346179008 CET	192.168.2.9	1.1.1.1	0x30c6	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.357232094 CET	192.168.2.9	1.1.1.1	0xea21	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.368752003 CET	192.168.2.9	1.1.1.1	0xc0a	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.379467964 CET	192.168.2.9	1.1.1.1	0x9b77	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.390126944 CET	192.168.2.9	1.1.1.1	0x4108	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.565826893 CET	192.168.2.9	1.1.1.1	0x4dfc	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.599742889 CET	192.168.2.9	1.1.1.1	0xd823	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.612946987 CET	192.168.2.9	1.1.1.1	0xaf87	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.646431923 CET	192.168.2.9	1.1.1.1	0x5db6	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.658968925 CET	192.168.2.9	1.1.1.1	0xfc36	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.692106962 CET	192.168.2.9	1.1.1.1	0x6a72	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.702564001 CET	192.168.2.9	1.1.1.1	0xd10d	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.713952065 CET	192.168.2.9	1.1.1.1	0x8de3	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.747205973 CET	192.168.2.9	1.1.1.1	0x1c0	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.761264086 CET	192.168.2.9	1.1.1.1	0x137f	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.771996021 CET	192.168.2.9	1.1.1.1	0xdfd5	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.783183098 CET	192.168.2.9	1.1.1.1	0x1e57	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.794214010 CET	192.168.2.9	1.1.1.1	0xe4a8	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.829054117 CET	192.168.2.9	1.1.1.1	0x2bc	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.860400915 CET	192.168.2.9	1.1.1.1	0x1ea3	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.872721910 CET	192.168.2.9	1.1.1.1	0xea91	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.880980968 CET	192.168.2.9	1.1.1.1	0x5564	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.912775040 CET	192.168.2.9	1.1.1.1	0xb90c	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.923414946 CET	192.168.2.9	1.1.1.1	0x7208	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.934169054 CET	192.168.2.9	1.1.1.1	0xf841	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.944681883 CET	192.168.2.9	1.1.1.1	0x375d	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.956319094 CET	192.168.2.9	1.1.1.1	0x169a	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.115634918 CET	192.168.2.9	1.1.1.1	0xe132	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.147192955 CET	192.168.2.9	1.1.1.1	0x781e	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.181061029 CET	192.168.2.9	1.1.1.1	0x5742	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.213706970 CET	192.168.2.9	1.1.1.1	0x730f	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.245199919 CET	192.168.2.9	1.1.1.1	0xbae0	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.255373955 CET	192.168.2.9	1.1.1.1	0xa30d	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.311688900 CET	192.168.2.9	1.1.1.1	0x84c9	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.343866110 CET	192.168.2.9	1.1.1.1	0xcfc2	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.355603933 CET	192.168.2.9	1.1.1.1	0x33c6	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.366738081 CET	192.168.2.9	1.1.1.1	0x9ebe	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.378931999 CET	192.168.2.9	1.1.1.1	0xa8a6	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.390314102 CET	192.168.2.9	1.1.1.1	0xba23	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.425394058 CET	192.168.2.9	1.1.1.1	0xc9bf	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.436862946 CET	192.168.2.9	1.1.1.1	0xaa6a	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.449693918 CET	192.168.2.9	1.1.1.1	0x5296	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.463993073 CET	192.168.2.9	1.1.1.1	0xe437	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.475320101 CET	192.168.2.9	1.1.1.1	0xbfdc	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.483992100 CET	192.168.2.9	1.1.1.1	0x249e	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.494527102 CET	192.168.2.9	1.1.1.1	0x8b4	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.505343914 CET	192.168.2.9	1.1.1.1	0xceaa	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.518183947 CET	192.168.2.9	1.1.1.1	0xaa00	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.528867006 CET	192.168.2.9	1.1.1.1	0x4f48	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.539561987 CET	192.168.2.9	1.1.1.1	0x600e	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.552968979 CET	192.168.2.9	1.1.1.1	0xc0f	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.563767910 CET	192.168.2.9	1.1.1.1	0x5e9d	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.573663950 CET	192.168.2.9	1.1.1.1	0x97f	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.605866909 CET	192.168.2.9	1.1.1.1	0xef16	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.617861032 CET	192.168.2.9	1.1.1.1	0xb0a3	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.628468990 CET	192.168.2.9	1.1.1.1	0xa2c2	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.660732031 CET	192.168.2.9	1.1.1.1	0x6659	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.693517923 CET	192.168.2.9	1.1.1.1	0x1902	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.343359947 CET	192.168.2.9	1.1.1.1	0xc173	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.377374887 CET	192.168.2.9	1.1.1.1	0x56f2	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.389050007 CET	192.168.2.9	1.1.1.1	0x7320	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.423296928 CET	192.168.2.9	1.1.1.1	0x5f40	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.592715025 CET	192.168.2.9	1.1.1.1	0x13bc	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.604387045 CET	192.168.2.9	1.1.1.1	0xe98d	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.616324902 CET	192.168.2.9	1.1.1.1	0xf4a9	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.627197027 CET	192.168.2.9	1.1.1.1	0xf34	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.638050079 CET	192.168.2.9	1.1.1.1	0x7696	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.648731947 CET	192.168.2.9	1.1.1.1	0x4976	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.561013937 CET	192.168.2.9	1.1.1.1	0x39b6	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.593314886 CET	192.168.2.9	1.1.1.1	0xbc01	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.604228973 CET	192.168.2.9	1.1.1.1	0xac09	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.641242981 CET	192.168.2.9	1.1.1.1	0xce15	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.676139116 CET	192.168.2.9	1.1.1.1	0x2044	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.688937902 CET	192.168.2.9	1.1.1.1	0x22e6	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.699947119 CET	192.168.2.9	1.1.1.1	0xd84c	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.711091042 CET	192.168.2.9	1.1.1.1	0x74e5	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.743549109 CET	192.168.2.9	1.1.1.1	0x495e	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.775779963 CET	192.168.2.9	1.1.1.1	0x4a19	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.947151899 CET	192.168.2.9	1.1.1.1	0x51bd	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.957299948 CET	192.168.2.9	1.1.1.1	0xb386	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.968130112 CET	192.168.2.9	1.1.1.1	0xd7b	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.126622915 CET	192.168.2.9	1.1.1.1	0x4af3	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.135523081 CET	192.168.2.9	1.1.1.1	0x3e66	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.169070959 CET	192.168.2.9	1.1.1.1	0xb1c5	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.180172920 CET	192.168.2.9	1.1.1.1	0x5071	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.190388918 CET	192.168.2.9	1.1.1.1	0x4a27	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.201272011 CET	192.168.2.9	1.1.1.1	0x20c1	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.212482929 CET	192.168.2.9	1.1.1.1	0xaa9c	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.224168062 CET	192.168.2.9	1.1.1.1	0x233	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.256283998 CET	192.168.2.9	1.1.1.1	0x3861	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.289566040 CET	192.168.2.9	1.1.1.1	0xf320	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.301239014 CET	192.168.2.9	1.1.1.1	0x27b5	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.333792925 CET	192.168.2.9	1.1.1.1	0x9ccb	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.344522953 CET	192.168.2.9	1.1.1.1	0x135c	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.357244015 CET	192.168.2.9	1.1.1.1	0x4bcc	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.369434118 CET	192.168.2.9	1.1.1.1	0x8c9d	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.401839018 CET	192.168.2.9	1.1.1.1	0xa913	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.414071083 CET	192.168.2.9	1.1.1.1	0x281f	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.422569036 CET	192.168.2.9	1.1.1.1	0xe65e	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.433697939 CET	192.168.2.9	1.1.1.1	0x1114	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.606673956 CET	192.168.2.9	1.1.1.1	0x75dc	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.618020058 CET	192.168.2.9	1.1.1.1	0x47e8	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.631795883 CET	192.168.2.9	1.1.1.1	0x3054	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.641505957 CET	192.168.2.9	1.1.1.1	0x2643	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.654007912 CET	192.168.2.9	1.1.1.1	0x726	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.665266991 CET	192.168.2.9	1.1.1.1	0xdfa1	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.676968098 CET	192.168.2.9	1.1.1.1	0xdf3e	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.688282967 CET	192.168.2.9	1.1.1.1	0x6ad	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.698626041 CET	192.168.2.9	1.1.1.1	0x53ae	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.709966898 CET	192.168.2.9	1.1.1.1	0x7310	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.743386984 CET	192.168.2.9	1.1.1.1	0x5dca	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.754592896 CET	192.168.2.9	1.1.1.1	0x3e15	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.787952900 CET	192.168.2.9	1.1.1.1	0x6405	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.690022945 CET	192.168.2.9	1.1.1.1	0xb91e	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.700232029 CET	192.168.2.9	1.1.1.1	0x5be6	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.710839987 CET	192.168.2.9	1.1.1.1	0x787	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.721745014 CET	192.168.2.9	1.1.1.1	0x37af	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.755728006 CET	192.168.2.9	1.1.1.1	0x9913	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.765873909 CET	192.168.2.9	1.1.1.1	0x86b7	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.798103094 CET	192.168.2.9	1.1.1.1	0xf2d	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.808865070 CET	192.168.2.9	1.1.1.1	0x4cb6	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.842319012 CET	192.168.2.9	1.1.1.1	0x1ab	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.852355003 CET	192.168.2.9	1.1.1.1	0x79ce	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.863804102 CET	192.168.2.9	1.1.1.1	0x78aa	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.885926962 CET	192.168.2.9	1.1.1.1	0xb621	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 15:48:59.318007946 CET	1.1.1.1	192.168.2.9	0x84e4	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:48:59.318007946 CET	1.1.1.1	192.168.2.9	0x84e4	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:08.931904078 CET	1.1.1.1	192.168.2.9	0xe894	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:08.964145899 CET	1.1.1.1	192.168.2.9	0xed81	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.002372980 CET	1.1.1.1	192.168.2.9	0xc957	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.033591032 CET	1.1.1.1	192.168.2.9	0x7c73	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.043936968 CET	1.1.1.1	192.168.2.9	0xba4	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.076956987 CET	1.1.1.1	192.168.2.9	0x228e	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.088481903 CET	1.1.1.1	192.168.2.9	0x7cec	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.121536970 CET	1.1.1.1	192.168.2.9	0x78c8	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.135730028 CET	1.1.1.1	192.168.2.9	0xab33	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.327040911 CET	1.1.1.1	192.168.2.9	0xcfe5	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.525682926 CET	1.1.1.1	192.168.2.9	0xefff	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.536647081 CET	1.1.1.1	192.168.2.9	0xe820	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.548413992 CET	1.1.1.1	192.168.2.9	0xe2b2	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.581334114 CET	1.1.1.1	192.168.2.9	0xf23b	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.591408968 CET	1.1.1.1	192.168.2.9	0x8f66	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:09.998265028 CET	1.1.1.1	192.168.2.9	0x64be	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:49:09.998265028 CET	1.1.1.1	192.168.2.9	0x64be	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.648808956 CET	1.1.1.1	192.168.2.9	0xe91	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.660598040 CET	1.1.1.1	192.168.2.9	0x3107	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.671106100 CET	1.1.1.1	192.168.2.9	0x75c0	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.681005955 CET	1.1.1.1	192.168.2.9	0x12e9	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:10.946204901 CET	1.1.1.1	192.168.2.9	0x6c52	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.809362888 CET	1.1.1.1	192.168.2.9	0x6a92	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.819823980 CET	1.1.1.1	192.168.2.9	0x5fe7	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.829943895 CET	1.1.1.1	192.168.2.9	0x996f	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.840373039 CET	1.1.1.1	192.168.2.9	0xc21b	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.850922108 CET	1.1.1.1	192.168.2.9	0xf398	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.861757040 CET	1.1.1.1	192.168.2.9	0xa4e8	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.872107029 CET	1.1.1.1	192.168.2.9	0x851c	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.907372952 CET	1.1.1.1	192.168.2.9	0xb17f	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.924952030 CET	1.1.1.1	192.168.2.9	0xa049	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.956357002 CET	1.1.1.1	192.168.2.9	0x372e	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.990556002 CET	1.1.1.1	192.168.2.9	0x4cb3	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:12.999067068 CET	1.1.1.1	192.168.2.9	0x7116	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.033221006 CET	1.1.1.1	192.168.2.9	0x99b9	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.045126915 CET	1.1.1.1	192.168.2.9	0x3055	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.055738926 CET	1.1.1.1	192.168.2.9	0x298f	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.088169098 CET	1.1.1.1	192.168.2.9	0x6411	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.099796057 CET	1.1.1.1	192.168.2.9	0x913f	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.132309914 CET	1.1.1.1	192.168.2.9	0x3e4c	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.147173882 CET	1.1.1.1	192.168.2.9	0xf690	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.159039974 CET	1.1.1.1	192.168.2.9	0xb358	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.169950008 CET	1.1.1.1	192.168.2.9	0xb724	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.180988073 CET	1.1.1.1	192.168.2.9	0x1308	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.212989092 CET	1.1.1.1	192.168.2.9	0xeea6	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.244515896 CET	1.1.1.1	192.168.2.9	0xd982	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.255616903 CET	1.1.1.1	192.168.2.9	0x2f0a	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.266153097 CET	1.1.1.1	192.168.2.9	0x8e11	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.284729958 CET	1.1.1.1	192.168.2.9	0x19b2	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.296072960 CET	1.1.1.1	192.168.2.9	0xf69b	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.327910900 CET	1.1.1.1	192.168.2.9	0x2ed6	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.360156059 CET	1.1.1.1	192.168.2.9	0xcb35	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.371160030 CET	1.1.1.1	192.168.2.9	0x445b	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.402635098 CET	1.1.1.1	192.168.2.9	0xf64	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.434674025 CET	1.1.1.1	192.168.2.9	0x2a2a	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.444956064 CET	1.1.1.1	192.168.2.9	0x29f4	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.453526974 CET	1.1.1.1	192.168.2.9	0x16a5	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.463742971 CET	1.1.1.1	192.168.2.9	0x1107	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.473587990 CET	1.1.1.1	192.168.2.9	0x714e	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.485110044 CET	1.1.1.1	192.168.2.9	0xdaf4	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.516853094 CET	1.1.1.1	192.168.2.9	0xb0be	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.526807070 CET	1.1.1.1	192.168.2.9	0xa213	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.537838936 CET	1.1.1.1	192.168.2.9	0x8ef	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.549238920 CET	1.1.1.1	192.168.2.9	0xa852	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.581810951 CET	1.1.1.1	192.168.2.9	0x7b27	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.592744112 CET	1.1.1.1	192.168.2.9	0x728	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.603055000 CET	1.1.1.1	192.168.2.9	0x7640	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.614237070 CET	1.1.1.1	192.168.2.9	0x8927	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.628088951 CET	1.1.1.1	192.168.2.9	0x7d5a	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.638617992 CET	1.1.1.1	192.168.2.9	0x7c17	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.670644045 CET	1.1.1.1	192.168.2.9	0xf18e	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.682285070 CET	1.1.1.1	192.168.2.9	0x94eb	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.695362091 CET	1.1.1.1	192.168.2.9	0xb990	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.703493118 CET	1.1.1.1	192.168.2.9	0x4ad7	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:13.713155985 CET	1.1.1.1	192.168.2.9	0xd309	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:14.057542086 CET	1.1.1.1	192.168.2.9	0xa04c	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.367727041 CET	1.1.1.1	192.168.2.9	0x4d4f	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.378793955 CET	1.1.1.1	192.168.2.9	0x14df	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.410432100 CET	1.1.1.1	192.168.2.9	0x7cb1	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.421564102 CET	1.1.1.1	192.168.2.9	0x822e	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.429342031 CET	1.1.1.1	192.168.2.9	0xa93c	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.440540075 CET	1.1.1.1	192.168.2.9	0x5538	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.450385094 CET	1.1.1.1	192.168.2.9	0xc6ae	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.460942030 CET	1.1.1.1	192.168.2.9	0x47de	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.471343040 CET	1.1.1.1	192.168.2.9	0x7af0	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.482135057 CET	1.1.1.1	192.168.2.9	0xb240	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.515073061 CET	1.1.1.1	192.168.2.9	0x16c9	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.525993109 CET	1.1.1.1	192.168.2.9	0x55da	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.536242008 CET	1.1.1.1	192.168.2.9	0x8d06	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.567677975 CET	1.1.1.1	192.168.2.9	0xeba	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.578258038 CET	1.1.1.1	192.168.2.9	0xac	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.611049891 CET	1.1.1.1	192.168.2.9	0x7e60	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.621836901 CET	1.1.1.1	192.168.2.9	0x30f4	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.631819010 CET	1.1.1.1	192.168.2.9	0x8721	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.644392967 CET	1.1.1.1	192.168.2.9	0x3fa0	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.657995939 CET	1.1.1.1	192.168.2.9	0x889b	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.712976933 CET	1.1.1.1	192.168.2.9	0x6cbf	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.726629972 CET	1.1.1.1	192.168.2.9	0x82ca	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.762072086 CET	1.1.1.1	192.168.2.9	0x4c1d	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.774578094 CET	1.1.1.1	192.168.2.9	0xb6ca	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:15.810655117 CET	1.1.1.1	192.168.2.9	0x712e	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.019627094 CET	1.1.1.1	192.168.2.9	0x36ed	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 15:49:16.019627094 CET	1.1.1.1	192.168.2.9	0x36ed	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.700093031 CET	1.1.1.1	192.168.2.9	0x8b6b	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.710598946 CET	1.1.1.1	192.168.2.9	0xff50	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.743125916 CET	1.1.1.1	192.168.2.9	0xcd00	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.755172014 CET	1.1.1.1	192.168.2.9	0x36a0	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.765244961 CET	1.1.1.1	192.168.2.9	0xd13	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.776339054 CET	1.1.1.1	192.168.2.9	0x26ec	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.788531065 CET	1.1.1.1	192.168.2.9	0x2bc1	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.820300102 CET	1.1.1.1	192.168.2.9	0x6c69	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.852547884 CET	1.1.1.1	192.168.2.9	0xa6cc	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:16.865071058 CET	1.1.1.1	192.168.2.9	0xbb45	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:17.056256056 CET	1.1.1.1	192.168.2.9	0x9d65	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:18.993046045 CET	1.1.1.1	192.168.2.9	0x1b75	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.004070044 CET	1.1.1.1	192.168.2.9	0x17e5	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.038043022 CET	1.1.1.1	192.168.2.9	0x98a4	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.050812960 CET	1.1.1.1	192.168.2.9	0x9c1e	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.084249020 CET	1.1.1.1	192.168.2.9	0x3f56	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.097470045 CET	1.1.1.1	192.168.2.9	0x5d2e	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.119432926 CET	1.1.1.1	192.168.2.9	0x37b4	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.152745008 CET	1.1.1.1	192.168.2.9	0x283f	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.191637039 CET	1.1.1.1	192.168.2.9	0xda1e	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.205260038 CET	1.1.1.1	192.168.2.9	0x3ddc	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.216685057 CET	1.1.1.1	192.168.2.9	0xb5fa	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.228319883 CET	1.1.1.1	192.168.2.9	0x964d	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.239236116 CET	1.1.1.1	192.168.2.9	0x650f	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.273931980 CET	1.1.1.1	192.168.2.9	0xc318	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.285948992 CET	1.1.1.1	192.168.2.9	0xab13	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.299053907 CET	1.1.1.1	192.168.2.9	0x27b1	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.310216904 CET	1.1.1.1	192.168.2.9	0xb0e7	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.475277901 CET	1.1.1.1	192.168.2.9	0x44bd	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.487433910 CET	1.1.1.1	192.168.2.9	0xb788	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.499526978 CET	1.1.1.1	192.168.2.9	0x4ea7	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.509341002 CET	1.1.1.1	192.168.2.9	0x6264	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.545067072 CET	1.1.1.1	192.168.2.9	0x3279	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.556724072 CET	1.1.1.1	192.168.2.9	0xa11f	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.569519043 CET	1.1.1.1	192.168.2.9	0x8232	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.601066113 CET	1.1.1.1	192.168.2.9	0x77af	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.612663031 CET	1.1.1.1	192.168.2.9	0x7c4	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.649933100 CET	1.1.1.1	192.168.2.9	0xc4f6	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.664751053 CET	1.1.1.1	192.168.2.9	0xd15	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.678813934 CET	1.1.1.1	192.168.2.9	0xe24f	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.692347050 CET	1.1.1.1	192.168.2.9	0x3049	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.724493027 CET	1.1.1.1	192.168.2.9	0x917c	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.887726068 CET	1.1.1.1	192.168.2.9	0xb9d0	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.920579910 CET	1.1.1.1	192.168.2.9	0x9a0f	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.936417103 CET	1.1.1.1	192.168.2.9	0x655d	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.950788975 CET	1.1.1.1	192.168.2.9	0x18a1	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:19.982711077 CET	1.1.1.1	192.168.2.9	0x4879	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.015873909 CET	1.1.1.1	192.168.2.9	0x1841	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.026814938 CET	1.1.1.1	192.168.2.9	0xf0c5	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.038037062 CET	1.1.1.1	192.168.2.9	0x4e5c	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.050216913 CET	1.1.1.1	192.168.2.9	0xc296	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.083918095 CET	1.1.1.1	192.168.2.9	0xf5f0	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.117528915 CET	1.1.1.1	192.168.2.9	0x993	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.127818108 CET	1.1.1.1	192.168.2.9	0xf6c0	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.140700102 CET	1.1.1.1	192.168.2.9	0x532	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.174204111 CET	1.1.1.1	192.168.2.9	0x19e5	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:20.285939932 CET	1.1.1.1	192.168.2.9	0x8dc7	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.256206989 CET	1.1.1.1	192.168.2.9	0x8245	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.293313026 CET	1.1.1.1	192.168.2.9	0xa0f7	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.305421114 CET	1.1.1.1	192.168.2.9	0xc8ac	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.315792084 CET	1.1.1.1	192.168.2.9	0x5734	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.326724052 CET	1.1.1.1	192.168.2.9	0x7a9b	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.336849928 CET	1.1.1.1	192.168.2.9	0x1f1d	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.347054958 CET	1.1.1.1	192.168.2.9	0x5145	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.359325886 CET	1.1.1.1	192.168.2.9	0x4ae5	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.371486902 CET	1.1.1.1	192.168.2.9	0x36fa	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.404402971 CET	1.1.1.1	192.168.2.9	0x4ffd	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.414870024 CET	1.1.1.1	192.168.2.9	0xf66b	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:21.425367117 CET	1.1.1.1	192.168.2.9	0x3f0f	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:49:34.387767076 CET	1.1.1.1	192.168.2.9	0xc299	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.653969049 CET	1.1.1.1	192.168.2.9	0x6253	Name error (3)	heavenstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.819984913 CET	1.1.1.1	192.168.2.9	0xee61	Name error (3)	leadernothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.831336021 CET	1.1.1.1	192.168.2.9	0xc080	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.843178988 CET	1.1.1.1	192.168.2.9	0xcdaa	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.882821083 CET	1.1.1.1	192.168.2.9	0x51b4	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.894623995 CET	1.1.1.1	192.168.2.9	0x6787	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.907344103 CET	1.1.1.1	192.168.2.9	0xf613	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.917670012 CET	1.1.1.1	192.168.2.9	0x3753	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:28.950149059 CET	1.1.1.1	192.168.2.9	0x3dac	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.124773026 CET	1.1.1.1	192.168.2.9	0xaeea	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.136356115 CET	1.1.1.1	192.168.2.9	0xe07f	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.169091940 CET	1.1.1.1	192.168.2.9	0x2e6e	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.181204081 CET	1.1.1.1	192.168.2.9	0x2df9	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.194171906 CET	1.1.1.1	192.168.2.9	0xaa37	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.205931902 CET	1.1.1.1	192.168.2.9	0xc729	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.952070951 CET	1.1.1.1	192.168.2.9	0xa8a3	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.986409903 CET	1.1.1.1	192.168.2.9	0x17ae	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:29.995012999 CET	1.1.1.1	192.168.2.9	0xb22c	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:30.006134033 CET	1.1.1.1	192.168.2.9	0x7964	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.891206026 CET	1.1.1.1	192.168.2.9	0xe0a2	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.906213045 CET	1.1.1.1	192.168.2.9	0xcaf7	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.921438932 CET	1.1.1.1	192.168.2.9	0x1364	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.937448025 CET	1.1.1.1	192.168.2.9	0x5cf	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.951960087 CET	1.1.1.1	192.168.2.9	0xca94	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.965872049 CET	1.1.1.1	192.168.2.9	0x7e12	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.977864981 CET	1.1.1.1	192.168.2.9	0x606d	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:31.993380070 CET	1.1.1.1	192.168.2.9	0xfe8d	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.005217075 CET	1.1.1.1	192.168.2.9	0xbb63	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.176177025 CET	1.1.1.1	192.168.2.9	0x797c	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.187567949 CET	1.1.1.1	192.168.2.9	0xd558	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.200071096 CET	1.1.1.1	192.168.2.9	0xb6f7	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.211034060 CET	1.1.1.1	192.168.2.9	0xe1fb	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.220937014 CET	1.1.1.1	192.168.2.9	0x9c6e	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.232353926 CET	1.1.1.1	192.168.2.9	0xbea0	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.251966953 CET	1.1.1.1	192.168.2.9	0xf3d5	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.284416914 CET	1.1.1.1	192.168.2.9	0x8234	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.296153069 CET	1.1.1.1	192.168.2.9	0x1a08	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.333589077 CET	1.1.1.1	192.168.2.9	0x663c	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.344705105 CET	1.1.1.1	192.168.2.9	0x22cb	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.356528997 CET	1.1.1.1	192.168.2.9	0x30c6	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.368113995 CET	1.1.1.1	192.168.2.9	0xea21	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.378681898 CET	1.1.1.1	192.168.2.9	0xc0a	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.389421940 CET	1.1.1.1	192.168.2.9	0x9b77	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.564840078 CET	1.1.1.1	192.168.2.9	0x4108	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.598718882 CET	1.1.1.1	192.168.2.9	0x4dfc	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.611998081 CET	1.1.1.1	192.168.2.9	0xd823	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.645318031 CET	1.1.1.1	192.168.2.9	0xaf87	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.658052921 CET	1.1.1.1	192.168.2.9	0x5db6	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.691165924 CET	1.1.1.1	192.168.2.9	0xfc36	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.701761007 CET	1.1.1.1	192.168.2.9	0x6a72	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.713174105 CET	1.1.1.1	192.168.2.9	0xd10d	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.746201992 CET	1.1.1.1	192.168.2.9	0x8de3	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.760406017 CET	1.1.1.1	192.168.2.9	0x1c0	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.771260977 CET	1.1.1.1	192.168.2.9	0x137f	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.782552004 CET	1.1.1.1	192.168.2.9	0xdfd5	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.793657064 CET	1.1.1.1	192.168.2.9	0x1e57	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.828233957 CET	1.1.1.1	192.168.2.9	0xe4a8	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.859674931 CET	1.1.1.1	192.168.2.9	0x2bc	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.872077942 CET	1.1.1.1	192.168.2.9	0x1ea3	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.880323887 CET	1.1.1.1	192.168.2.9	0xea91	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.911855936 CET	1.1.1.1	192.168.2.9	0x5564	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.922612906 CET	1.1.1.1	192.168.2.9	0xb90c	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.933283091 CET	1.1.1.1	192.168.2.9	0x7208	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.943846941 CET	1.1.1.1	192.168.2.9	0xf841	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:32.955365896 CET	1.1.1.1	192.168.2.9	0x375d	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.114674091 CET	1.1.1.1	192.168.2.9	0x169a	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.145895958 CET	1.1.1.1	192.168.2.9	0xe132	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.180083990 CET	1.1.1.1	192.168.2.9	0x781e	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.212579966 CET	1.1.1.1	192.168.2.9	0x5742	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.244107962 CET	1.1.1.1	192.168.2.9	0x730f	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.254548073 CET	1.1.1.1	192.168.2.9	0xbae0	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:33.286976099 CET	1.1.1.1	192.168.2.9	0xa30d	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.342895985 CET	1.1.1.1	192.168.2.9	0x84c9	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.354720116 CET	1.1.1.1	192.168.2.9	0xcfc2	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.365849018 CET	1.1.1.1	192.168.2.9	0x33c6	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.377485037 CET	1.1.1.1	192.168.2.9	0x9ebe	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.389022112 CET	1.1.1.1	192.168.2.9	0xa8a6	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.423945904 CET	1.1.1.1	192.168.2.9	0xba23	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.435575008 CET	1.1.1.1	192.168.2.9	0xc9bf	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.449079037 CET	1.1.1.1	192.168.2.9	0xaa6a	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.463365078 CET	1.1.1.1	192.168.2.9	0x5296	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.474129915 CET	1.1.1.1	192.168.2.9	0xe437	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.482825994 CET	1.1.1.1	192.168.2.9	0xbfdc	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.493304968 CET	1.1.1.1	192.168.2.9	0x249e	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.504172087 CET	1.1.1.1	192.168.2.9	0x8b4	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.516905069 CET	1.1.1.1	192.168.2.9	0xceaa	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.527559042 CET	1.1.1.1	192.168.2.9	0xaa00	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.538350105 CET	1.1.1.1	192.168.2.9	0x4f48	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.552236080 CET	1.1.1.1	192.168.2.9	0x600e	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.563146114 CET	1.1.1.1	192.168.2.9	0xc0f	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.573096991 CET	1.1.1.1	192.168.2.9	0x5e9d	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.604914904 CET	1.1.1.1	192.168.2.9	0x97f	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.616883993 CET	1.1.1.1	192.168.2.9	0xef16	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.627545118 CET	1.1.1.1	192.168.2.9	0xb0a3	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.659864902 CET	1.1.1.1	192.168.2.9	0xa2c2	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.692533970 CET	1.1.1.1	192.168.2.9	0x6659	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:34.703821898 CET	1.1.1.1	192.168.2.9	0x1902	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.376290083 CET	1.1.1.1	192.168.2.9	0xc173	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.388245106 CET	1.1.1.1	192.168.2.9	0x56f2	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.422203064 CET	1.1.1.1	192.168.2.9	0x7320	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.591496944 CET	1.1.1.1	192.168.2.9	0x5f40	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.603549004 CET	1.1.1.1	192.168.2.9	0x13bc	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.615614891 CET	1.1.1.1	192.168.2.9	0xe98d	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.626569986 CET	1.1.1.1	192.168.2.9	0xf4a9	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.637120008 CET	1.1.1.1	192.168.2.9	0xf34	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.648082972 CET	1.1.1.1	192.168.2.9	0x7696	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:35.660814047 CET	1.1.1.1	192.168.2.9	0x4976	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.592264891 CET	1.1.1.1	192.168.2.9	0x39b6	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.603421926 CET	1.1.1.1	192.168.2.9	0xbc01	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.636120081 CET	1.1.1.1	192.168.2.9	0xac09	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.675035000 CET	1.1.1.1	192.168.2.9	0xce15	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.687894106 CET	1.1.1.1	192.168.2.9	0x2044	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.699321985 CET	1.1.1.1	192.168.2.9	0x22e6	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.710576057 CET	1.1.1.1	192.168.2.9	0xd84c	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.742435932 CET	1.1.1.1	192.168.2.9	0x74e5	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.774725914 CET	1.1.1.1	192.168.2.9	0x495e	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.946033001 CET	1.1.1.1	192.168.2.9	0x4a19	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.956563950 CET	1.1.1.1	192.168.2.9	0x51bd	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:37.967261076 CET	1.1.1.1	192.168.2.9	0xb386	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.123449087 CET	1.1.1.1	192.168.2.9	0xd7b	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.134545088 CET	1.1.1.1	192.168.2.9	0x4af3	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.168044090 CET	1.1.1.1	192.168.2.9	0x3e66	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.179244041 CET	1.1.1.1	192.168.2.9	0xb1c5	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.189568996 CET	1.1.1.1	192.168.2.9	0x5071	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.200556040 CET	1.1.1.1	192.168.2.9	0x4a27	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.211846113 CET	1.1.1.1	192.168.2.9	0x20c1	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.223571062 CET	1.1.1.1	192.168.2.9	0xaa9c	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.255503893 CET	1.1.1.1	192.168.2.9	0x233	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.288582087 CET	1.1.1.1	192.168.2.9	0x3861	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.300491095 CET	1.1.1.1	192.168.2.9	0xf320	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.332783937 CET	1.1.1.1	192.168.2.9	0x27b5	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.343732119 CET	1.1.1.1	192.168.2.9	0x9ccb	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.356417894 CET	1.1.1.1	192.168.2.9	0x135c	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.368357897 CET	1.1.1.1	192.168.2.9	0x4bcc	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.400703907 CET	1.1.1.1	192.168.2.9	0x8c9d	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.413121939 CET	1.1.1.1	192.168.2.9	0xa913	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.421547890 CET	1.1.1.1	192.168.2.9	0x281f	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.432194948 CET	1.1.1.1	192.168.2.9	0xe65e	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.605751991 CET	1.1.1.1	192.168.2.9	0x1114	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.617182970 CET	1.1.1.1	192.168.2.9	0x75dc	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.630754948 CET	1.1.1.1	192.168.2.9	0x47e8	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.640741110 CET	1.1.1.1	192.168.2.9	0x3054	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.653247118 CET	1.1.1.1	192.168.2.9	0x2643	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.664253950 CET	1.1.1.1	192.168.2.9	0x726	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.676048040 CET	1.1.1.1	192.168.2.9	0xdfa1	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.687436104 CET	1.1.1.1	192.168.2.9	0xdf3e	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.697662115 CET	1.1.1.1	192.168.2.9	0x6ad	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.709203959 CET	1.1.1.1	192.168.2.9	0x53ae	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.742444992 CET	1.1.1.1	192.168.2.9	0x7310	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.753743887 CET	1.1.1.1	192.168.2.9	0x5dca	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.786923885 CET	1.1.1.1	192.168.2.9	0x3e15	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:38.798036098 CET	1.1.1.1	192.168.2.9	0x6405	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.699424982 CET	1.1.1.1	192.168.2.9	0xb91e	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.710186005 CET	1.1.1.1	192.168.2.9	0x5be6	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.721148014 CET	1.1.1.1	192.168.2.9	0x787	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.754653931 CET	1.1.1.1	192.168.2.9	0x37af	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.765124083 CET	1.1.1.1	192.168.2.9	0x9913	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.797247887 CET	1.1.1.1	192.168.2.9	0x86b7	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.808159113 CET	1.1.1.1	192.168.2.9	0xf2d	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.841403008 CET	1.1.1.1	192.168.2.9	0x4cb6	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.851675987 CET	1.1.1.1	192.168.2.9	0x1ab	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.862873077 CET	1.1.1.1	192.168.2.9	0x79ce	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.873861074 CET	1.1.1.1	192.168.2.9	0x78aa	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 15:50:39.896914005 CET	1.1.1.1	192.168.2.9	0xb621	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49756	199.59.243.227	80	7908	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:49:10.005867958 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:49:10.634885073 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:49:10 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 68178e2c-694b-41d3-92af-9213f11a352b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=68178e2c-694b-41d3-92af-9213f11a352b; expires=Thu, 07 Nov 2024 15:04:10 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:49:10.634932995 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjgxNzhlMmMtNjk0Yi00MWQzLTkyYWYtOTIxM2YxMWEzNTJiIiwicGFnZV90aW1lIjoxNzMwOTkwOT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49762	18.143.155.63	80	7908	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:49:10.952044964 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:49:12.381201029 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:49:12 GMT Content-Type: text/html Connection: close Set-Cookie: btst=32682e797a610ad4fc2a40f456784ceb\|173.254.250.79\|1730990952\|1730990952\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49777	54.244.188.177	80	7908	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:49:14.338469028 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:49:15.212112904 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:49:15 GMT Content-Type: text/html Connection: close Set-Cookie: btst=d701794b7fb65e1d024fb2c46f5faea8\|173.254.250.79\|1730990955\|1730990955\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49788	199.59.243.227	80	7908	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:49:16.028371096 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:49:16.689922094 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:49:15 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: d2a2e5ff-f1db-47fb-909f-102189629900 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=d2a2e5ff-f1db-47fb-909f-102189629900; expires=Thu, 07 Nov 2024 15:04:16 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:49:16.690118074 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDJhMmU1ZmYtZjFkYi00N2ZiLTkwOWYtMTAyMTg5NjI5OTAwIiwicGFnZV90aW1lIjoxNzMwOTkwOT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49796	18.143.155.63	80	7908	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:49:17.062005043 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:49:18.545285940 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:49:18 GMT Content-Type: text/html Connection: close Set-Cookie: btst=04a33f4ec5f4905135fbcec08784220b\|173.254.250.79\|1730990958\|1730990958\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49813	85.214.228.140	80	7908	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:49:20.291795969 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:49:21.223330975 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:49:21 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	56370	199.59.243.227	80	2804	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:29.215151072 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 15:50:29.886287928 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:50:29 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: c2612408-7417-4a9a-a12f-1f95cd81c0a9 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=c2612408-7417-4a9a-a12f-1f95cd81c0a9; expires=Thu, 07 Nov 2024 15:05:29 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:50:29.886425018 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzI2MTI0MDgtNzQxNy00YTlhLWExMmYtMWY5NWNkODFjMGE5IiwicGFnZV90aW1lIjoxNzMwOTkxMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	56371	18.143.155.63	80	2804	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:30.012887955 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 15:50:31.451720953 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:50:31 GMT Content-Type: text/html Connection: close Set-Cookie: btst=77bdabff262539af270f26bc1010dc9a\|173.254.250.79\|1730991031\|1730991031\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	56372	54.244.188.177	80	2804	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:33.293332100 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 15:50:34.188704967 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:50:34 GMT Content-Type: text/html Connection: close Set-Cookie: btst=c358ada54cf53c04ce5c9ad6a7217b35\|173.254.250.79\|1730991034\|1730991034\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	56373	199.59.243.227	80	2804	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:34.714670897 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 15:50:35.341522932 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 14:50:34 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: d2ddabc3-1eec-423b-a8d7-e58d2e3d844a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=d2ddabc3-1eec-423b-a8d7-e58d2e3d844a; expires=Thu, 07 Nov 2024 15:05:35 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 15:50:35.341628075 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDJkZGFiYzMtMWVlYy00MjNiLWE4ZDctZTU4ZDJlM2Q4NDRhIiwicGFnZV90aW1lIjoxNzMwOTkxMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	56374	18.143.155.63	80	2804	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:35.667350054 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 15:50:37.130047083 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 14:50:36 GMT Content-Type: text/html Connection: close Set-Cookie: btst=f995c9c247904d393bf103d6bee66032\|173.254.250.79\|1730991036\|1730991036\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	56375	85.214.228.140	80	2804	C:\daxjjwrfm\qbpabupgx.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 15:50:38.804857969 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 15:50:39.689093113 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 14:50:39 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Target ID:	0
Start time:	09:49:03
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\66HKNPT1fl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\66HKNPT1fl.exe"
Imagebase:	0x10000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:49:03
Start date:	07/11/2024
Path:	C:\daxjjwrfm\ew3dvaplid9hjn8.exe
Wow64 process (32bit):	true
Commandline:	"C:\daxjjwrfm\ew3dvaplid9hjn8.exe"
Imagebase:	0xaf0000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:49:04
Start date:	07/11/2024
Path:	C:\daxjjwrfm\qbpabupgx.exe
Wow64 process (32bit):	true
Commandline:	C:\daxjjwrfm\qbpabupgx.exe
Imagebase:	0x4f0000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:49:05
Start date:	07/11/2024
Path:	C:\daxjjwrfm\tkjnbticppc.exe
Wow64 process (32bit):	true
Commandline:	mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
Imagebase:	0x390000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:49:06
Start date:	07/11/2024
Path:	C:\daxjjwrfm\qbpabupgx.exe
Wow64 process (32bit):	true
Commandline:	"C:\daxjjwrfm\qbpabupgx.exe"
Imagebase:	0x4f0000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:50:23
Start date:	07/11/2024
Path:	C:\daxjjwrfm\qbpabupgx.exe
Wow64 process (32bit):	true
Commandline:	"c:\daxjjwrfm\qbpabupgx.exe"
Imagebase:	0x4f0000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:50:25
Start date:	07/11/2024
Path:	C:\daxjjwrfm\tkjnbticppc.exe
Wow64 process (32bit):	true
Commandline:	mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
Imagebase:	0xe70000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:52:00
Start date:	07/11/2024
Path:	C:\daxjjwrfm\qbpabupgx.exe
Wow64 process (32bit):	true
Commandline:	"c:\daxjjwrfm\qbpabupgx.exe"
Imagebase:	0x4f0000
File size:	248'320 bytes
MD5 hash:	F0D9A1E7385ED0EA2ECE3D30915163D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	51%
Total number of Nodes:	1733
Total number of Limit Nodes:	19

Executed Functions

Function 000200C1 Relevance: 56.1, APIs: 29, Strings: 2, Instructions: 1864sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 000203F9
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00020427
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0002046A
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00020496
GetTickCount.KERNEL32 ref: 00020587
GetCommandLineA.KERNEL32 ref: 0002063E
Sleep.KERNEL32(000003E8), ref: 00020CDF

Part of subcall function 0001B150: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0001B1D7

Sleep.KERNEL32(00000D05), ref: 00020BD2

Part of subcall function 0001B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0001B256
Part of subcall function 0001B150: CloseHandle.KERNEL32(00000000), ref: 0001B26B

Sleep.KERNEL32(000007D0), ref: 00020DD1
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00020EA8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00020ECC
CopyFileA.KERNEL32(?,?,00000000), ref: 00020EFE
SetFileAttributesA.KERNEL32(?,00000002), ref: 000210B9
SetFileAttributesA.KERNEL32(?,00000080), ref: 000210E7
GetCommandLineA.KERNEL32(00000000), ref: 0002120E
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 0002132B

Part of subcall function 00022290: lstrlen.KERNEL32(?), ref: 000222A2
Part of subcall function 00022290: CharLowerBuffA.USER32(?,00000000), ref: 000222BE

MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00021663

Part of subcall function 000172E0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00017452

CloseHandle.KERNEL32(00000000), ref: 00021AC5
SetFileAttributesA.KERNEL32(?,00000080), ref: 00021AE1
CopyFileA.KERNEL32(?,?,00000000), ref: 00021B07
SetFileAttributesA.KERNEL32(?,00000002), ref: 00021B43
Sleep.KERNEL32(000003E8), ref: 00021CAC
WSAStartup.WS2_32(00000202,?), ref: 00021947

Part of subcall function 00032780: ExitProcess.KERNEL32 ref: 000327B0

Sleep.KERNEL32(000007D0), ref: 00021DFC
SetFileAttributesA.KERNEL32(00056680,00000080), ref: 00021E27
CopyFileA.KERNEL32(?,00056680,00000000), ref: 00021E45
SetFileAttributesA.KERNEL32(00056680,00000002), ref: 00021E7B

Part of subcall function 0003C080: Sleep.KERNEL32(000003E8), ref: 0003C1C3

Part of subcall function 0001BBA0: wvsprintfA.USER32(00000000,?,000309D1), ref: 0001BBEB

CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00022194
Sleep.KERNEL32(0000C350), ref: 00022210

Strings

C:\Users\user, xrefs: 000203F3
x7;C, xrefs: 00020C47

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
String ID: C:\Users\user$x7;C
API String ID: 1500488346-1973627574
Opcode ID: 1045a1b9afaa71d45974fd25b02691f811b4bbd28303df9c7bced6b98c81d8eb
Instruction ID: ec21f8288d54ac4530428db3f9df4615f260c15cc083a14af471c2e523b5f5cf
Opcode Fuzzy Hash: 1045a1b9afaa71d45974fd25b02691f811b4bbd28303df9c7bced6b98c81d8eb
Instruction Fuzzy Hash: 6203E0B9A00310DBF758DF64FE92AAB37F5FB55302B40812AE406CB261EB7C9941CB55

Function 00022490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0005EAC8), ref: 00022572
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 000226EF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00022843
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0002289F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0002293F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000229E1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00022CAC
CreateDirectoryA.KERNEL32(?,00000000), ref: 00022D6E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00022EB0
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0002307B
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 000231FA
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0002344D

Strings

C:\Users\user, xrefs: 00022B0A, 00022BCC
Wq0O, xrefs: 00022FE3
\, xrefs: 00022F41
C:\daxjjwrfm\, xrefs: 00022960, 00022CC9, 00023032, 0002321C

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Users\user$C:\daxjjwrfm\$Wq0O$\
API String ID: 1691758827-3631644381
Opcode ID: cd8df9e28a4c8474bf2d5cb7cc39472d046d2a319056feee56651c3b65ce2cd2
Instruction ID: b8ce1d919ed4b1dcff4deead7b1d7f43ed4fedde6c7c3a063ac2dd806ace9272
Opcode Fuzzy Hash: cd8df9e28a4c8474bf2d5cb7cc39472d046d2a319056feee56651c3b65ce2cd2
Instruction Fuzzy Hash: 378204B5A00315CBF718DF24FE92AAB33B5F755312F00812AE905C72A1EB7C9A41CB59

Function 000160A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000140B0: lstrlen.KERNEL32(?,?,00011038,?), ref: 000140DD

Sleep.KERNELBASE(000003E8), ref: 00016189
FindFirstFileA.KERNELBASE(?,?), ref: 00016274
DeleteFileA.KERNELBASE(?), ref: 0001632E
FindNextFileA.KERNELBASE(?,?), ref: 00016384
FindClose.KERNEL32(?), ref: 000163AA

Strings

xsh, xrefs: 00016159, 00016169

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
String ID: xsh
API String ID: 3282225923-3135071692
Opcode ID: 1b030371927e8c90b1804ead12bb607d21d8f3b9c5694af988fc5b89b5baebaa
Instruction ID: af86bd2df178bc2a8cad73efaa34d8001f5a8b96d60c38f495c5528261bcbdc6
Opcode Fuzzy Hash: 1b030371927e8c90b1804ead12bb607d21d8f3b9c5694af988fc5b89b5baebaa
Instruction Fuzzy Hash: 2F81F3B99003049FF718DF64FE82AAA37B5FB95302F04856AE505872B0EB7C9A40CB55

Function 00033060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0003327A
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0003344B
CloseHandle.KERNEL32(?), ref: 000334DA

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: b19115d8d21871399c7673d9ce165b593d3da53b799ef28b7beecbcd8885027d
Instruction ID: a557b17f06b80acd3d0559beda7ca0adda178d04325ff2b1809bdfa7bc7e9a08
Opcode Fuzzy Hash: b19115d8d21871399c7673d9ce165b593d3da53b799ef28b7beecbcd8885027d
Instruction Fuzzy Hash: A3C1CFB9A10710CBF305DF68FD916AB33E9F759326B00811AE805C7275E77CA981CB89

Function 0003C640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00022591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00022591), ref: 0003C701
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0003C737
FreeSid.ADVAPI32(?), ref: 0003C798

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: be1b160c56dc48a3af4555eee7dd1032f43c89ed72cb74e7d1b8e4c7a9d5389d
Instruction ID: 8dd7147f3a1418e90b4e8c44df3ea972d5754a2777e5705d0f6d299ab0534d0b
Opcode Fuzzy Hash: be1b160c56dc48a3af4555eee7dd1032f43c89ed72cb74e7d1b8e4c7a9d5389d
Instruction Fuzzy Hash: 2E41BFB9604344DFF708CB78EE96A6A7BF4F75A302B50815AE906D7261E7389940CF09

Function 0002C520 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00040A4E,?,00040A4E,00000000), ref: 0002C549
RtlFreeHeap.NTDLL(00000000,?,00040A4E,00000000), ref: 0002C550

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b50a5715f12ee29b258395c2598e2b0aa1099f851d0c6474575d98edf8e5cc12
Instruction ID: af539a20d52cfbc8a95d95facc9b3368e91f8df85d36aa68d7296cea490cbec4
Opcode Fuzzy Hash: b50a5715f12ee29b258395c2598e2b0aa1099f851d0c6474575d98edf8e5cc12
Instruction Fuzzy Hash: A6F030B59187149FF7089F58FD95A7A37E4AB04706B404409E509CB621E778E880CB69

Function 0002B733 Relevance: .3, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f820a01e8ca5acbc9fe021a0d569f88237122110d6f39f3a1bdd7d0d609d07
Instruction ID: ee9f9a7371e3b4596b90f860bf1015cfdb3ad1cf5bb634e27668b0c81020c26f
Opcode Fuzzy Hash: e7f820a01e8ca5acbc9fe021a0d569f88237122110d6f39f3a1bdd7d0d609d07
Instruction Fuzzy Hash: FBC178B9615751CBF348CF29FE9256637F1FB5A312310552AE402CB2B0EB7C9981CB49

Function 0003A760 Relevance: 10.8, APIs: 7, Instructions: 266
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 0003A7F1
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 0003A849
CloseHandle.KERNELBASE(00000000,?,?,000000FF), ref: 0003A885
GetTickCount.KERNEL32 ref: 0003A8B8
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0003AA75
WriteFile.KERNELBASE(00000000,000000FF,?,?,00000000), ref: 0003AAC8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0003AAE2

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: b490ed0bd093e8ea463e7ea430039796ee8c2768404dcedbb48859046f85dcc5
Instruction ID: 879d68489580c2328db605cc33a47636a40a875c5d080599b37d527819e4e488
Opcode Fuzzy Hash: b490ed0bd093e8ea463e7ea430039796ee8c2768404dcedbb48859046f85dcc5
Instruction Fuzzy Hash: 72A1F4B96007009BF305DF24ED92BBB33B9FB4A712F14411AE845872A1E77C9941CB9A

Function 000338B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00033A0F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00033A3E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00033A52

Strings

D, xrefs: 000339D3

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: ab9b267c9ce979aea999ad378509f9d3670ff77b58f82d9a148fadce86127a97
Instruction ID: 94b5192a97a8541c9aebb325e3f94d03b20b06c611752306db0b8d1324dbcffa
Opcode Fuzzy Hash: ab9b267c9ce979aea999ad378509f9d3670ff77b58f82d9a148fadce86127a97
Instruction Fuzzy Hash: 2541C3B5900705DBF708CF58EE91BAA37F9FB55702F00801AE505DB2A4E7BCA944CB49

Function 00026F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00029195,021A1850,?,?,?,?,?,00036DD6), ref: 00026F59
RtlAllocateHeap.NTDLL(00000000,?,00029195,021A1850,?,?,?,?,?,00036DD6), ref: 00026F60

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7d79e7a3afb7d9138af976c653894a47846a9f4dd073d2ca6f2b7a5b0bbaa4d3
Instruction ID: fed5bd6b12df2885aaf0277baccaba5b72bbf746dfea4820def83b809e6dc7f5
Opcode Fuzzy Hash: 7d79e7a3afb7d9138af976c653894a47846a9f4dd073d2ca6f2b7a5b0bbaa4d3
Instruction Fuzzy Hash: B1F08CB96107008BEB48DB64FE99A2637E9EB467027444419B20687661EABA94408B98

Function 00022290 Relevance: 3.0, APIs: 2, Instructions: 21
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 000222A2
CharLowerBuffA.USER32(?,00000000), ref: 000222BE

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 4cebd069c4b6ab05f6d612f24b99cba5cdad47afab9887d235daedcb0c050e70
Instruction ID: fa785aa4f2d7f5a3bf5ecf5fc3b2ee818671a2874297cf3c1c6c40be565394e3
Opcode Fuzzy Hash: 4cebd069c4b6ab05f6d612f24b99cba5cdad47afab9887d235daedcb0c050e70
Instruction Fuzzy Hash: B6E0DF761007209BE3009F98FD084F733ECFB053033484066E989D2270EB2C2D41C7A5

Function 00032780 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 000327B0

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: fe706f76c4ed56000dd0d10c187d3260c02b9c6a450c624d589d16c2dcfa7309
Instruction ID: 604e9407831a5b1861ec110418f05a17f1977dd83aac7aa59fa4e7f81be63767
Opcode Fuzzy Hash: fe706f76c4ed56000dd0d10c187d3260c02b9c6a450c624d589d16c2dcfa7309
Instruction Fuzzy Hash: 4DD05EB45207048A9708AF24FD8562277ACFB40702B401424E4418B224F3BCE78187D5

Non-executed Functions

Function 0003EEB0 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 444pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0003F00B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0003F086
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 0003F0A6
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0003F147
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0003F2C2
CloseHandle.KERNEL32(00000000), ref: 0003F353
CloseHandle.KERNEL32(?), ref: 0003F367
CloseHandle.KERNEL32(00000000), ref: 0003F37B
CloseHandle.KERNEL32(00000000), ref: 0003F3A9
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0003F446
CloseHandle.KERNEL32(00000000), ref: 0003F4D4
CloseHandle.KERNEL32(00000000), ref: 0003F4E8
WaitForSingleObject.KERNEL32(?,00002710), ref: 0003F56B
CloseHandle.KERNEL32(?), ref: 0003F586
CloseHandle.KERNEL32(?), ref: 0003F5A7

Strings

;8\w, xrefs: 0003F4FA
<,]8, xrefs: 0003F2D1
D, xrefs: 0003F1D6

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: ;8\w$<,]8$D
API String ID: 1130065513-4129721015
Opcode ID: a94971b1d64c7ae28e86efd85b5c115b7255028a7e30c0334e688229009b1b07
Instruction ID: 1a1e87ae0f60e56a1212d0b282a18d9c0f47894baf6c6d0f857d07b5589ebb45
Opcode Fuzzy Hash: a94971b1d64c7ae28e86efd85b5c115b7255028a7e30c0334e688229009b1b07
Instruction Fuzzy Hash: 9E12C2B9A00305DFF748CF68EE959BB37B9FB59312B10852AE805C7264E77C9940CB58

Function 000301B0 Relevance: 29.0, APIs: 10, Strings: 6, Instructions: 1003COMMON

Download Yara Rule

Strings

/, xrefs: 000303F1
@(l$, xrefs: 00030A8B, 00030A91
SbJ, xrefs: 00030E0D
!|/0, xrefs: 00030AE8
'~(-, xrefs: 00030449
*c, xrefs: 00030F6B

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Time$FileSystem__aulldivlstrlen
String ID: !|/0$'~(-$/$@(l$$SbJ$*c
API String ID: 3360920532-3188750162
Opcode ID: ebe21c35cdcaa82c8b1ad35ff4f7e7be46e63327ddf0fde7445aa1f615ee2db0
Instruction ID: 9c77cefceaf5d002daf161d25badf1171cb221570d27faae9a22d1d7416e1d26
Opcode Fuzzy Hash: ebe21c35cdcaa82c8b1ad35ff4f7e7be46e63327ddf0fde7445aa1f615ee2db0
Instruction Fuzzy Hash: 379216B5A01301CBF708DF24FD926BB77B9FB95312F10812AE406972A2EB7C5941CB95

Function 0003DB50 Relevance: 17.2, APIs: 11, Instructions: 662memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001), ref: 0003DD1A
LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000001), ref: 0003DDBB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0003DE59
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0003DEBE
HeapAlloc.KERNEL32(0003D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0003DF03
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0003DF39
HeapFree.KERNEL32(0003D075,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0003DFDD
HeapAlloc.KERNEL32(0003D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0003E00E
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0003E035

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: FreeHeapLibrary$Alloc$AddressLoadProcProcess
String ID:
API String ID: 1582890587-0
Opcode ID: 4020a1181cfb00c07e77e00224fb484e5d6516a1484949c7b4585a75781ac471
Instruction ID: c64d1821a902969214489447e3718a0245e78ce130cb24ee5a6daa3309c8aa1e
Opcode Fuzzy Hash: 4020a1181cfb00c07e77e00224fb484e5d6516a1484949c7b4585a75781ac471
Instruction Fuzzy Hash: C452C0B9A10701CBF358DF28FD926AB37F5F75A312B10462AE805CB2A0E77C9941CB55

Function 0003B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 0003B8EC
Process32First.KERNEL32(00000000,00000128), ref: 0003BA96

Strings

9y8, xrefs: 0003BC13

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 9y8
API String ID: 2353314856-3592070472
Opcode ID: d0b216ead84b5215bf5aa71dbcf069f92b0c155b22a63121ddbdbe8db51602f2
Instruction ID: e653a46377bf1fa97a70bab7425410edbea7ff1ec059f2bd4e6b622ba3cb9db3
Opcode Fuzzy Hash: d0b216ead84b5215bf5aa71dbcf069f92b0c155b22a63121ddbdbe8db51602f2
Instruction Fuzzy Hash: 2DF1F3B9A007018BF714CF28EE92A7B37F5FB95316B00812AE506C7275EB7C9981CB55

Function 00028200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0002826F
CreateServiceA.ADVAPI32(00000000,009B04D0,009B04D0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 000282CA
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00028301
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00028323
CloseServiceHandle.ADVAPI32(00000000), ref: 0002833A
OpenServiceA.ADVAPI32(00000000,009B04D0,00000010), ref: 0002838B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 000283C2
CloseServiceHandle.ADVAPI32(00000000), ref: 00028408
CloseServiceHandle.ADVAPI32(00000000), ref: 00028481

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: a7236c3f024af6f1c5c398e068e1475c1049e4819b346bba37e9e718867f5863
Instruction ID: ae5c5d42f61e48282c1f160ee1f01e7facd80ded37dc1a05e293c98dd2e0fe9f
Opcode Fuzzy Hash: a7236c3f024af6f1c5c398e068e1475c1049e4819b346bba37e9e718867f5863
Instruction Fuzzy Hash: 9861DDB9A057119BF358CB28FE86B3A37F4F746702F108516E945C62B0EB7C9981CB49

Function 0003A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 0003A124
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 0003A164
GetLastError.KERNEL32(?,00000000,00000001), ref: 0003A176
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 0003A24F

Part of subcall function 0001BBA0: wvsprintfA.USER32(00000000,?,000309D1), ref: 0001BBEB

CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 0003A44C

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
String ID:
API String ID: 475583450-0
Opcode ID: 735e53464c15e80024fd1010f8497dd44f47b4f68dc101a8e952fc693c1ee454
Instruction ID: 758d3e3d96fed1a9c36f45a9e797cfe39b9e1b927a58a5942ee5fe6bd1e16d7c
Opcode Fuzzy Hash: 735e53464c15e80024fd1010f8497dd44f47b4f68dc101a8e952fc693c1ee454
Instruction Fuzzy Hash: 50C1D3B5A00300DBF754CF64FE81AAB77F5FB96302F00812AE505DB2A0E7789941CB56

Function 0002C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0002C312
Process32First.KERNEL32(00000000,?), ref: 0002C35A
Process32Next.KERNEL32(00000000,00000128), ref: 0002C478

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 93b060a3142b4ddf69ac84795073982afa429fb5a8a402826c963599b27ea679
Instruction ID: bd93c99e22965ec9a6947e79369638d6add577670e3cc39480961b59bc741b97
Opcode Fuzzy Hash: 93b060a3142b4ddf69ac84795073982afa429fb5a8a402826c963599b27ea679
Instruction Fuzzy Hash: FE51F2B9901311CBF714DF20FE55AAB37B5FB49302F00845AE8059A6B4EB7C8A40CF99

Function 00037BD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

:rgN, xrefs: 00037D61

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: :rgN
API String ID: 0-1384114704
Opcode ID: 3ac24e69dc7d34292b5b95eac32d7ee50df1d490459c1c6573a3957866377592
Instruction ID: 90513712818e2758787a281134dc3832d934a72e4eeadd575f671ab107b152e3
Opcode Fuzzy Hash: 3ac24e69dc7d34292b5b95eac32d7ee50df1d490459c1c6573a3957866377592
Instruction Fuzzy Hash: B43205B9A04704CBF715DF24ED826BB37B9FB95312F10842AE905DB261EB3C9941CB58

Function 000399B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00039A16
GetTickCount.KERNEL32 ref: 00039B6B

Strings

@(l$, xrefs: 00039ABD

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @(l$
API String ID: 2164215191-2034585603
Opcode ID: e9e8f7fb5a317bf837ab0c7d0d11394947bb3983fb939b397f5fdb3ba87a6dfb
Instruction ID: ab0d912353c399fdc9fc2d7df78d6c7d66933c5a35b4e8f468f17416a9f85b8e
Opcode Fuzzy Hash: e9e8f7fb5a317bf837ab0c7d0d11394947bb3983fb939b397f5fdb3ba87a6dfb
Instruction Fuzzy Hash: 6F418FB69003108FF348DF28FDC25AB37B5FB95316704452AD846C6671EB7DA940CB95

Function 00032950 Relevance: 4.8, APIs: 3, Instructions: 309sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00032CB0
Sleep.KERNEL32(00015F90), ref: 00032E36
DeleteFileA.KERNEL32(?), ref: 00032E4D

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: File$DeleteModuleNameSleep
String ID:
API String ID: 2157229623-0
Opcode ID: 79e5ccb817f8b682c1c26e7365a50c2a09d83a48ac26e1535dcd455322c13c1e
Instruction ID: b16b3b850c8f4c6accaaf7dd5980e79f3ff4d3950e030fb09063385780e6bff5
Opcode Fuzzy Hash: 79e5ccb817f8b682c1c26e7365a50c2a09d83a48ac26e1535dcd455322c13c1e
Instruction Fuzzy Hash: 5DD147B99003049BF318DF24ED92ABB33F9F795702F00451AE5058B2B5EB7C9981CB59

Function 000119C0 Relevance: 4.1, Strings: 3, Instructions: 356COMMON

Download Yara Rule

Strings

C:\Users\user, xrefs: 00011B2A
=], xrefs: 00011C71
p`^p, xrefs: 00011EEB

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: C:\Users\user$p`^p$=]
API String ID: 0-2154772735
Opcode ID: 7bf883c7c17186630a10eee47bada58675173074453ad7020a5a9ac8ccff473b
Instruction ID: beec0b5d26cbdbe6424a0c5f87bfccab15d8386711c6dbda4b23cf073f2c3c2f
Opcode Fuzzy Hash: 7bf883c7c17186630a10eee47bada58675173074453ad7020a5a9ac8ccff473b
Instruction Fuzzy Hash: F0E103B5A003009BE748DF64FD92AEB33B8FB55316F40452AE505D72B2EB3CAA41CB55

Function 00035950 Relevance: 4.1, Strings: 3, Instructions: 342COMMON

Download Yara Rule

Strings

W, xrefs: 00035DE4, 00035DEA
7dsX, xrefs: 00035A94
,L, xrefs: 00035DF7

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: ,L$7dsX$W
API String ID: 0-1044966223
Opcode ID: f9357257e9acff781122850d7327dca1888c3d7555735484b172cd3da9e94083
Instruction ID: c1258af1e66b14189b8ce56a92ed9590874b20afede494ffc89f451c2747f841
Opcode Fuzzy Hash: f9357257e9acff781122850d7327dca1888c3d7555735484b172cd3da9e94083
Instruction Fuzzy Hash: DEE10076A107108BF718CF29ED915AB73F6FB89323B15822AD8069B374D73C5841CB98

Function 000144A0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 453fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0003EEB0: CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0003F00B

DeleteFileA.KERNEL32(?), ref: 00014B8D

Strings

, xrefs: 00014839

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CreateDeleteFilePipe
String ID:
API String ID: 4227001771-3916222277
Opcode ID: 984bd36292fb319a0fd539d58e416a49561bc3adfac3b7e36511842ad6fb0cdf
Instruction ID: 219e2f5f8929b72bb5661d409c94e195b4f6353d580c86f46c04993ced8f1c47
Opcode Fuzzy Hash: 984bd36292fb319a0fd539d58e416a49561bc3adfac3b7e36511842ad6fb0cdf
Instruction Fuzzy Hash: E80201B5A047048BF704DF28ED82AEB33B5FB95316F10412AE505CB2B2E77C9A81CB55

Function 0003FE10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

1BJ, xrefs: 00040617

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CountSystemTickTime
String ID: 1BJ
API String ID: 2164215191-3696045056
Opcode ID: 80c1826b623f27ee06e507dc46bbd4727362e60b377c4b8f6c7f0afa5233c63f
Instruction ID: c7c563355d580cbea45386616f734ecd699d53a6a0dee02902a89e23ed1ca6b0
Opcode Fuzzy Hash: 80c1826b623f27ee06e507dc46bbd4727362e60b377c4b8f6c7f0afa5233c63f
Instruction Fuzzy Hash: 4142C0B5A00304CFF704DF64ED92AAB37B5FB55312F00812AE506972A5EB7C9A81CF59

Function 00025F50 Relevance: 3.4, Strings: 2, Instructions: 927COMMON

Download Yara Rule

Strings

t#A9, xrefs: 000265B7
[m#X, xrefs: 000262F7

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: [m#X$t#A9
API String ID: 0-521692942
Opcode ID: 3c9362f2ce5050979d33f2ff89b44adaa0b5015f2cbe3a11a920bf84382022da
Instruction ID: f122b8282e3d76876ac6c5e7c3084915c9e2c5cc041784051c31d7a58b518dbf
Opcode Fuzzy Hash: 3c9362f2ce5050979d33f2ff89b44adaa0b5015f2cbe3a11a920bf84382022da
Instruction Fuzzy Hash: 2D8235B5A007158FEB18CF68FE919AF77F6FB98312B14812AD805D7364E7389940CB94

Function 0003CBE0 Relevance: 2.1, APIs: 1, Instructions: 633COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 0003CD44

Part of subcall function 000140B0: lstrlen.KERNEL32(?,?,00011038,?), ref: 000140DD

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: ComputerNamelstrlen
String ID:
API String ID: 4141851928-0
Opcode ID: 9c8bdd30c865638ae9e8f8153bb1d301b7e066011f6662976ccaac05033c31d5
Instruction ID: b02d15c87f2b04a430c6a120a6b01118a7d58fbfe6b37f3b755167fecd9921ef
Opcode Fuzzy Hash: 9c8bdd30c865638ae9e8f8153bb1d301b7e066011f6662976ccaac05033c31d5
Instruction Fuzzy Hash: E652F6B5910304CBF758DB24ED92AFB73B9FB55302F40812AE406A71B2EB786A44CB55

Function 00038BA0 Relevance: 1.9, Strings: 1, Instructions: 668COMMON

Download Yara Rule

Strings

@H , xrefs: 000394F3

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: @H
API String ID: 0-679593823
Opcode ID: 5402fb4dadbc766aab03c954d384cf570d6ee11776388956462e094d6ce2eb27
Instruction ID: f3b9b569fd9fa6663a3f9fd7edb281857726f3c7c2af06aaa7b641d4c7b002fd
Opcode Fuzzy Hash: 5402fb4dadbc766aab03c954d384cf570d6ee11776388956462e094d6ce2eb27
Instruction Fuzzy Hash: A352F4B9A043418BF709CF24EE916BB77F5FB96312F14852AE4058B2B1E77C8941CB49

Function 00025520 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

zwfC, xrefs: 00025AC0

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: zwfC
API String ID: 0-2819243322
Opcode ID: 179a385611c3720ec3a2cf80113a40b069ab8c2277adafadb0dce91eb1e88638
Instruction ID: 49972dbad96e9b8ad28220f876eb51b708faf0cb6ddaef1a29ed5a456bf2f876
Opcode Fuzzy Hash: 179a385611c3720ec3a2cf80113a40b069ab8c2277adafadb0dce91eb1e88638
Instruction Fuzzy Hash: 31E1F8B5A007148FF708DF24FE925BA77B9FB95312700852AD8068B371EB7C9941CB99

Function 00015730 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

+EM, xrefs: 00015AD0

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: +EM
API String ID: 0-2077864378
Opcode ID: 50009f4067d0bd5280e784d816a75df7e9c151b6d7cd9afe7f0e39afb5ad1e7f
Instruction ID: 813bb6efe78f70a2594b36972283e40aecdf3fd25390e3a123431d6d2233615f
Opcode Fuzzy Hash: 50009f4067d0bd5280e784d816a75df7e9c151b6d7cd9afe7f0e39afb5ad1e7f
Instruction Fuzzy Hash: E6D1D1B9904741CBF358CF28EE915AA37F1F79A313314862AD8458B275EB3C9981CB49

Function 00035010 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0003503B

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 18b98fe1cfc3b3ab4a01b09c5468889cc4eb4d6debbbf8acc6f0d5620183fffc
Instruction ID: 653d26236c55c2c8df1aca1ec68e62f1a55d224ce7d86ff6a205923facb8a8ff
Opcode Fuzzy Hash: 18b98fe1cfc3b3ab4a01b09c5468889cc4eb4d6debbbf8acc6f0d5620183fffc
Instruction Fuzzy Hash: 44F0D4B1A157098BE708DF68EC454AB7BF9FB18316B404A69E814C3325F7399604CF85

Function 000385E0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

!B%I, xrefs: 00038813

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: !B%I
API String ID: 0-2905040698
Opcode ID: e393f8bc9fd25e7f15a548460565f4ec4d77df014d15cf374e402056dd8bf611
Instruction ID: 468ed7eb4729323cd76d00578d4974dc06b03a53d38e1c745c3d29ea3e5d6688
Opcode Fuzzy Hash: e393f8bc9fd25e7f15a548460565f4ec4d77df014d15cf374e402056dd8bf611
Instruction Fuzzy Hash: 3AB133B9A043408BF348CF28EE8152A7BF6FB96312714C16AE405CB775EB3C8842CB45

Function 000277A1 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

eH(, xrefs: 000279F9

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: eH(
API String ID: 0-1750492490
Opcode ID: 67e71007c43c9e378f3d0e615bc4eb3b4cc36c3f3b4af3c990a89a6d51625265
Instruction ID: 7a8681790a8bbb5c166101e81565d571481bffa9df944b62836b8dee3e717f30
Opcode Fuzzy Hash: 67e71007c43c9e378f3d0e615bc4eb3b4cc36c3f3b4af3c990a89a6d51625265
Instruction Fuzzy Hash: 5191CFB95043218BE358CF69FD9167737F1FB96326B00852ED805876B1EB3C8841CB59

Function 000277F0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

eH(, xrefs: 000279F9

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: eH(
API String ID: 0-1750492490
Opcode ID: 6e3c92646aec1d0f836df4a0faa3a6cf213bc0e40d1cea91358ffc7d1dcf1c19
Instruction ID: 1edcdbc04b9d182de7bd1d630c58cccdb09e0b7ba97ca71f83249d6b0803809f
Opcode Fuzzy Hash: 6e3c92646aec1d0f836df4a0faa3a6cf213bc0e40d1cea91358ffc7d1dcf1c19
Instruction Fuzzy Hash: A691CEB95043218BE358CF29FD9167B37F5FB95326B00852AD806866B1EB7C8841CB99

Function 00015894 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

+EM, xrefs: 00015AD0

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID: +EM
API String ID: 0-2077864378
Opcode ID: ac082a26341446192698e13cf5676ba7e069e21c0596ea5af34ffc8053d44a66
Instruction ID: 87bfcc6ca2b2d9eb3780593297d84410955f536be4cfadc55f5d381d8dd9e023
Opcode Fuzzy Hash: ac082a26341446192698e13cf5676ba7e069e21c0596ea5af34ffc8053d44a66
Instruction Fuzzy Hash: C37104B9904741CFF758CF28EEC05AA3BE1F79A317324862AD4458B275E73C9981CB49

Function 00024420 Relevance: 1.0, Instructions: 983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421386a95b87482f3574c2ae3f7412e1de29c50eba9f3e19fd8e2726df66ae14
Instruction ID: 61074deef4de553a60d807bd2171c0a355c40738a1e7f6e4be746cbd70284bec
Opcode Fuzzy Hash: 421386a95b87482f3574c2ae3f7412e1de29c50eba9f3e19fd8e2726df66ae14
Instruction Fuzzy Hash: 9D9216B5A00315CBEB18DF64FD919BF77F9FB99302B00812AE806DB261E7389940CB55

Function 00033AF0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714c43a362d324dbae0f6d398d7bab24dda358563fc702ffaa51fa2a9033f583
Instruction ID: 741c8343e3a2d5f049da67a1424addccd14c5349963df829564365bdbfb2a059
Opcode Fuzzy Hash: 714c43a362d324dbae0f6d398d7bab24dda358563fc702ffaa51fa2a9033f583
Instruction Fuzzy Hash: 7602F0B9A14701CBE718CF28FD921BB73E5FB59312B14812AD816CB670E77C9980CB49

Function 0003ABB0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf67ea8114e1833b62cf9838684b5f7be7b04bc355e34eae4ac8abf53c5a55af
Instruction ID: c0f470463b4e4f1938a80b84d918614fdd4505984b2f44db7361ab9c405bffea
Opcode Fuzzy Hash: cf67ea8114e1833b62cf9838684b5f7be7b04bc355e34eae4ac8abf53c5a55af
Instruction Fuzzy Hash: 82E1FEB9A10710CBF304CF29EE9156B77F6FB9A302750C52AD4458B278EB3C9942CB49

Function 00012F90 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a561053124be6e21ae89dd09e1224f9fc86b26252faf5291cf3aaf9c9ab104
Instruction ID: 5eaa63484e68e742b64500688d079476a52891ee4784a2e06845282b46fd5dca
Opcode Fuzzy Hash: d6a561053124be6e21ae89dd09e1224f9fc86b26252faf5291cf3aaf9c9ab104
Instruction Fuzzy Hash: 9FC117B56003058FF724CF28FD91ABA77E4FB55316F00822AE806C7661E7B89AC1CB45

Function 00024A29 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cdcb01c312d4a2f8b4fef7c393815bc07408f6f16c213fa0172851c926b462
Instruction ID: 70d081071036c4e1f0467cc3e6b52998f44aac171930c4f3872d11ef19775718
Opcode Fuzzy Hash: a6cdcb01c312d4a2f8b4fef7c393815bc07408f6f16c213fa0172851c926b462
Instruction Fuzzy Hash: C1B1ADB9A00315CBEB68CF28FD919BB77F5FB99302711851AD806DB660E7389840CF55

Function 000345A0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6747c7476ec5cab3a7555b397a61eead961b73ec7824dbef66f8d13f29a4af21
Instruction ID: 381fae61acba5b66245728a7f5a55b89d9fceb76e5d8ca9c7d24b27fb1b8f159
Opcode Fuzzy Hash: 6747c7476ec5cab3a7555b397a61eead961b73ec7824dbef66f8d13f29a4af21
Instruction Fuzzy Hash: FDB1ACBAA057108FF358CF29EE9146A77F1FB9A312705852ED8458B274E77CA841CF48

Function 0002C640 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96ebf2cae41827decfd1e819f281a773ee6e2503349fb8fd725019367f24a96
Instruction ID: 021cc056d2ffc657c779f257ddea027260744923f16d1a7836873fd2b9c84821
Opcode Fuzzy Hash: b96ebf2cae41827decfd1e819f281a773ee6e2503349fb8fd725019367f24a96
Instruction Fuzzy Hash: 4DA114B9514721CFF714CF29FE8196B33B2FB9A716710821AD8068B275E73C9841CB85

Function 00040850 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 894395f6fe9bc006e88617788b7d9225c8584d1aef939039c85cfa58edbe3df6
Instruction ID: 280d31a756980ba3b07e3a9122e322d2242e2da609f3a5c0fa65535393bbdab8
Opcode Fuzzy Hash: 894395f6fe9bc006e88617788b7d9225c8584d1aef939039c85cfa58edbe3df6
Instruction Fuzzy Hash: 3A8112B56003018BF758DF28ED92A7B33F5FB953027048929E546D7362EB3CA941CB99

Function 0001B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0001B1D7
GetFileTime.KERNEL32(00000000,?,?,?), ref: 0001B256
CloseHandle.KERNEL32(00000000), ref: 0001B26B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0001B2E7
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0001B31A
CloseHandle.KERNEL32(00000000), ref: 0001B334

Strings

td9k, xrefs: 0001B23D

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: td9k
API String ID: 3236713533-1579400769
Opcode ID: 86357b0c2af08b1b2e66fa95c2add7bf48c69c5b348fe13ff10b28df25e3b912
Instruction ID: 906dab6c9381d8f155cf08dc1d594cb989f18c43d9cc60fd651c60581b7c96c0
Opcode Fuzzy Hash: 86357b0c2af08b1b2e66fa95c2add7bf48c69c5b348fe13ff10b28df25e3b912
Instruction Fuzzy Hash: B751D3B9A053059BF314CF69FD81AAB77B4FB85315F10826BE409C72A0E7389945CF89

Function 0001B531 Relevance: 12.2, APIs: 8, Instructions: 187registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(009B04D0,Function_00014290,?,?,00000072), ref: 0001B669
SetServiceStatus.ADVAPI32(00000000,000567EC,?,?,00000072), ref: 0001B70D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 0001B721
SetServiceStatus.ADVAPI32(00000000,000567EC,?,?,00000072), ref: 0001B771
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 0001B7D0
SetServiceStatus.ADVAPI32(00000000,000567EC,00000072), ref: 0001B82A
CloseHandle.KERNEL32(00000000), ref: 0001B841
SetServiceStatus.ADVAPI32(00000000,000567EC), ref: 0001B8AA

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: af5b9742d60ac4645235c1ca26c8fa2a2cc68e21df784f98a3820e14a62cf98d
Instruction ID: 5be4d3674bd8ac3191d17577d71bec436c7fed95917533eb2a6e0d26455c88e3
Opcode Fuzzy Hash: af5b9742d60ac4645235c1ca26c8fa2a2cc68e21df784f98a3820e14a62cf98d
Instruction Fuzzy Hash: B581BAB9605311CBF308CF25FE998673BA5F799707740851AE5428B2B0EB7E9941CF48

Function 00031E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00031F5E
Process32First.KERNEL32(00000000,00000128), ref: 00031FDC
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000320A2

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 671b7e6bfb6f202fc437bd786bdff729563d74f96c7924eb723fd710e6359c6d
Instruction ID: bcd3f9a0526e1ea81cb57f834306a580aebf6ebaaa55aa151fdd0a71267c0ba1
Opcode Fuzzy Hash: 671b7e6bfb6f202fc437bd786bdff729563d74f96c7924eb723fd710e6359c6d
Instruction Fuzzy Hash: 86A1A1B9601311DFF759DF24EE916AA77B9FB66312F10812AD805C6270E73C9A40CF49

Function 00031950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00038262,Function_00001300,00000001,?), ref: 0003199B
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 000319C2
CloseHandle.KERNEL32(00000000,?,00038262,Function_00001300,00000001,?), ref: 000319DD
WaitForSingleObject.KERNEL32(?,000000FF,?,00038262,Function_00001300,00000001,?), ref: 000319F2
CloseHandle.KERNEL32(?,?,000000FF,?,00038262,Function_00001300,00000001,?), ref: 00031A19

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 57db312aed73190dc431c82d58311c7b22ddde8282e324c89a7bd3bbccbf8988
Instruction ID: b7086380f4a7e87f9bb29f477c4a1d8531bdd4de5bf7e94b53b2dac783040199
Opcode Fuzzy Hash: 57db312aed73190dc431c82d58311c7b22ddde8282e324c89a7bd3bbccbf8988
Instruction Fuzzy Hash: CD21DFB9204304AFF314DF20EE95B633BA4FB49712F108619F9168B6F4D7B9A8408F59

Function 00027110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00027221
RegSetValueExA.ADVAPI32(?,009B0748,00000000,00000001,?,00000000), ref: 000272E0
RegCloseKey.ADVAPI32(?), ref: 00027300

Strings

IR, xrefs: 00027313

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: CloseOpenValue
String ID: IR
API String ID: 779948276-3379982419
Opcode ID: 840e68a4e37bb50baac9ca8c9697262d40576e2f8bea0eac70130206d2c226c8
Instruction ID: 73d031c152f8a6d6edff64a5db8e8cf2aea0e28f13f553702608eb9382e96d6c
Opcode Fuzzy Hash: 840e68a4e37bb50baac9ca8c9697262d40576e2f8bea0eac70130206d2c226c8
Instruction Fuzzy Hash: E24122B9210310CBF708DB28FC85ABB37F5E745313B14841AE849C7260E77C9941CB69

Function 0003E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0003E966
ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 0003E9D7
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0003EADD

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 0a17628a48a8d0eddf638d84d866acf025792209a83f2def421e88b1273d9f22
Instruction ID: ef49fb6715acecf95366482a3d86f916d445f08a66da2cd6f2345f716db515f9
Opcode Fuzzy Hash: 0a17628a48a8d0eddf638d84d866acf025792209a83f2def421e88b1273d9f22
Instruction Fuzzy Hash: EF81D2B9600304DFF744DF68EE91BAB33B5F786316F00461AE505872A1EB78A940CF99

Function 0003FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00040A87,00000000,?,?,?,?,?,00000001), ref: 0003FAF7
RtlReAllocateHeap.NTDLL(00000000,?,00040A87,00000000), ref: 0003FAFE
GetProcessHeap.KERNEL32(00000000,?,?,00040A87,00000000,?,?,?,?,?,00000001), ref: 0003FB19
HeapAlloc.KERNEL32(00000000,?,00040A87,00000000,?,?,?,?,?,00000001), ref: 0003FB20

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 816d54baf89582d2d00e6e731529193507901531155aafd4b8a1cbee0004389e
Instruction ID: 152b6325003f5d2dc412034076afae075047282b40a47398ef2f57167bb53564
Opcode Fuzzy Hash: 816d54baf89582d2d00e6e731529193507901531155aafd4b8a1cbee0004389e
Instruction Fuzzy Hash: 70F01CB4610305EFFB549FB0ED09A6B3BACFF88612F508004F909876A0DB399940CB65

Function 00013DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00013E43
__aulldiv.LIBCMT ref: 00013E74

Strings

L9<8, xrefs: 00013F4F

Memory Dump Source

Source File: 00000000.00000002.1413034511.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1413019251.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413060700.0000000000042000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413074550.0000000000043000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.0000000000046000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413088654.000000000005E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1413137084.000000000005F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_66HKNPT1fl.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID: L9<8
API String ID: 2838486344-2160928743
Opcode ID: 348d22a5811121cbce98dcb60f00706ded17ba72b456ccb899985ba1fb32bc0a
Instruction ID: c191a7c3217f6cf7110bc9877c026f634bfc68c7ddaea51952641b2dd0f6d446
Opcode Fuzzy Hash: 348d22a5811121cbce98dcb60f00706ded17ba72b456ccb899985ba1fb32bc0a
Instruction Fuzzy Hash: 1D4127BAA003009BF318CF04EE915BB77B6FB8671A711412EE4068B671D73C9981CF84

Analysis Process: ew3dvaplid9hjn8.exePID: 7892, Parent PID: 7840COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3%
Total number of Nodes:	1756
Total number of Limit Nodes:	23

Executed Functions

Function 00B000C8 Relevance: 64.9, APIs: 29, Strings: 7, Instructions: 1861sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00B003F9
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00B00427
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00B0046A
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00B00496
GetTickCount.KERNEL32 ref: 00B00587
GetCommandLineA.KERNEL32 ref: 00B0063E
Sleep.KERNEL32(000003E8), ref: 00B00CDF

Part of subcall function 00AFB150: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00AFB1D7

Sleep.KERNEL32(00000D05), ref: 00B00BD2

Part of subcall function 00AFB150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 00AFB256
Part of subcall function 00AFB150: CloseHandle.KERNEL32(00000000), ref: 00AFB26B

Sleep.KERNEL32(000007D0), ref: 00B00DD1
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00B00EA8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00B00ECC
CopyFileA.KERNEL32(?,?,00000000), ref: 00B00EFE
SetFileAttributesA.KERNEL32(?,00000002), ref: 00B010B9
SetFileAttributesA.KERNEL32(?,00000080), ref: 00B010E7
GetCommandLineA.KERNEL32(00000000), ref: 00B0120E
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00B0132B

Part of subcall function 00B02290: lstrlen.KERNEL32(?), ref: 00B022A2
Part of subcall function 00B02290: CharLowerBuffA.USER32(?,00000000), ref: 00B022BE

MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00B01663

Part of subcall function 00AF72E0: CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00AF7452

CloseHandle.KERNEL32(000000E8), ref: 00B01AC5
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00B01AE1
CopyFileA.KERNEL32(?,?,00000000), ref: 00B01B07
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00B01B43
Sleep.KERNELBASE(000003E8), ref: 00B01CAC
WSAStartup.WS2_32(00000202,?), ref: 00B01947

Part of subcall function 00B12780: ExitProcess.KERNEL32 ref: 00B127B0

Sleep.KERNEL32(000007D0), ref: 00B01DFC
SetFileAttributesA.KERNEL32(C:\daxjjwrfm\tkjnbticppc.exe,00000080), ref: 00B01E27
CopyFileA.KERNEL32(?,C:\daxjjwrfm\tkjnbticppc.exe,00000000), ref: 00B01E45
SetFileAttributesA.KERNEL32(C:\daxjjwrfm\tkjnbticppc.exe,00000002), ref: 00B01E7B

Part of subcall function 00B1C080: Sleep.KERNEL32(000003E8), ref: 00B1C1C3

Part of subcall function 00AFBBA0: wvsprintfA.USER32(00000000,?,00B109D1), ref: 00AFBBEB

CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00B02194
Sleep.KERNEL32(0000C350), ref: 00B02210

Strings

X>U, xrefs: 00B00B0B, 00B00D6E, 00B00D88, 00B01446, 00B01919, 00B019EB, 00B01A96
0JU, xrefs: 00B004C3, 00B004CA
C:\Users\user, xrefs: 00B003F3
C:\daxjjwrfm\tkjnbticppc.exe, xrefs: 00B01892, 00B01905, 00B01E22, 00B01E39, 00B01E76, 00B02099
x7;C, xrefs: 00B00C47
Xzc, xrefs: 00B018C8, 00B018D6
\t3, xrefs: 00B01A90

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
String ID: 0JU$C:\Users\user$C:\daxjjwrfm\tkjnbticppc.exe$X>U$Xzc$\t3$x7;C
API String ID: 1500488346-3258653204
Opcode ID: 9b96a64e73978f8a08b542b35d63b776f7e0500aaac5d18f4c076ab4e16eb34e
Instruction ID: 57edbb69913166dbca30bac9890eb036778489278f53cabad1c8dae43e93444a
Opcode Fuzzy Hash: 9b96a64e73978f8a08b542b35d63b776f7e0500aaac5d18f4c076ab4e16eb34e
Instruction Fuzzy Hash: DA03FF75A10200DBD328DF68ED92A7E3BF5FB64700F60856AE502DB2B4EF749942CB51

Function 00B02490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00B3EAC8), ref: 00B02572
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00B026EF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00B02843
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00B0289F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00B0293F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B029E1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B02CAC
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B02D6E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00B02EB0
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00B0307B
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00B031FA
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00B0344D

Strings

C:\Users\user, xrefs: 00B02B0A, 00B02BCC
\, xrefs: 00B02F41
Wq0O, xrefs: 00B02FE3
C:\daxjjwrfm\, xrefs: 00B02960, 00B02CC9, 00B03032, 00B0321C

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Users\user$C:\daxjjwrfm\$Wq0O$\
API String ID: 1691758827-3631644381
Opcode ID: aad95e69162cc6b10f757eb78df4c6ec84b6c227936e791976830f819f812272
Instruction ID: 6e1d4ef62449e88e992dae5dbc2830d52809217b78d84924ebe845ab91a9e695
Opcode Fuzzy Hash: aad95e69162cc6b10f757eb78df4c6ec84b6c227936e791976830f819f812272
Instruction Fuzzy Hash: 138256B1900205CBD728DF28EC96ABE37F5FB54710F60816AE901CB2B1EF749986CB55

Function 00B1DB50 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 662
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001), ref: 00B1DD1A
LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,?,00000000,00000001), ref: 00B1DDBB
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B1DE59
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00B1DEBE
HeapAlloc.KERNEL32(00B1D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B1DF03
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00B1DF39
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00B1DF73
HeapFree.KERNEL32(00B1D075,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B1DFDD
HeapAlloc.KERNEL32(00B1D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B1E00E
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00B1E035

Strings

J)6v, xrefs: 00B1DC3A

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: FreeHeapLibrary$Alloc$AdaptersAddressInfoLoadProcProcess
String ID: J)6v
API String ID: 994048614-3523960662
Opcode ID: 4b9eda124f9fbaa3e944cc992c4576c491e7c743f56ec3d8dfcd67c7a24a4980
Instruction ID: a7ad5c37e6d0e872a482ca8dbdbd55e2cbb6d197f650d58a41eab1910a30bdd5
Opcode Fuzzy Hash: 4b9eda124f9fbaa3e944cc992c4576c491e7c743f56ec3d8dfcd67c7a24a4980
Instruction Fuzzy Hash: 4652D076A10301CBD328DF68FC926AE77F5FB58321B60852AE815DB270EF749942CB51

Function 00B08200 Relevance: 13.7, APIs: 9, Instructions: 167
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00B0826F
CreateServiceA.ADVAPI32(00000000,0054FC10,0054FC10,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00B082CA
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00B08301
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00B08323
CloseServiceHandle.ADVAPI32(00000000), ref: 00B0833A
OpenServiceA.ADVAPI32(00000000,0054FC10,00000010), ref: 00B0838B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00B083C2
CloseServiceHandle.ADVAPI32(00000000), ref: 00B08408
CloseServiceHandle.ADVAPI32(00000000), ref: 00B08481

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 7c48502f42f2518583820e40478154863ee34134a3d84d1db7ff47e8a2d3d036
Instruction ID: 55cab936db51f7126e6b31479de294002d7370d2e7a1acbfb9066d4c23f1945e
Opcode Fuzzy Hash: 7c48502f42f2518583820e40478154863ee34134a3d84d1db7ff47e8a2d3d036
Instruction Fuzzy Hash: 0061B8726152029BD328CB28FC96B7E3BF4FB54B02F209516E845C72B4EF709982CB45

Function 00B1CBE0 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00B1CD44

Part of subcall function 00AF40B0: lstrlen.KERNEL32(?,?,00AF1038,?), ref: 00AF40DD

Strings

X>U, xrefs: 00B1D14C
PKU, xrefs: 00B1D260

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: ComputerNamelstrlen
String ID: PKU$X>U
API String ID: 4141851928-1022260666
Opcode ID: b63d21f7641155ded3ffd41e777f425cb221d2064efe1db20f74c62a3728a784
Instruction ID: ba8ee182594fd21168df56a814b4b752804aa4411954f90932016d6d31df25c2
Opcode Fuzzy Hash: b63d21f7641155ded3ffd41e777f425cb221d2064efe1db20f74c62a3728a784
Instruction Fuzzy Hash: 6B52F571910204CBC728EF64ED92AFE77F5FB54300F60816AE506AB2B1EF30A985CB55

Function 00B13060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00B1327A
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00B1344B
CloseHandle.KERNELBASE(?), ref: 00B134DA

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 67ebc48a405e64fc6be310069c7451c96c077dce13bbdc017917876c04d3159e
Instruction ID: 47e6bf8f8b1dbc4d614053ee667509ed1a827697424a23cf778fc915df0c57c7
Opcode Fuzzy Hash: 67ebc48a405e64fc6be310069c7451c96c077dce13bbdc017917876c04d3159e
Instruction Fuzzy Hash: B6C12575A10610DBC324CF68FC91AAE33F5F758722B70856AE806D7274EF749982CB84

Function 00B17040 Relevance: 4.8, APIs: 3, Instructions: 256
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00B17229
GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00B17275
CryptGenRandom.ADVAPI32(00000000,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B173AD

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID:
API String ID: 646182245-0
Opcode ID: d98493cce3ba85e1549bb4a715af8e87d11e93f9687f352a75fe0fcc67278a0c
Instruction ID: b20897364a1c120682a04670c7d2cdd5edfe14eb2cd3db2d6d8dca6ebe999bc1
Opcode Fuzzy Hash: d98493cce3ba85e1549bb4a715af8e87d11e93f9687f352a75fe0fcc67278a0c
Instruction Fuzzy Hash: 74B1D275A14201CBD728DF28FDD2AAA37F1FB18710B70422AE516D76B0EF349882CB45

Function 00B138B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00B13A0F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00B13A3E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00B13A52

Strings

D, xrefs: 00B139D3

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: dd87d04677c6bdf2ff95813a389763e5e384ad503b63f4e79f2dcfc7bfaf838c
Instruction ID: c0a0a9d0a7c6b4f5c1eace1b693a0316f372587f01332750c339e2c08ac4f86b
Opcode Fuzzy Hash: dd87d04677c6bdf2ff95813a389763e5e384ad503b63f4e79f2dcfc7bfaf838c
Instruction Fuzzy Hash: EF4102B19002049FD728CF58ED91BAD37F5FB54B11F60801AE506DB2B4EFB4A986CB85

Function 00B1E880 Relevance: 6.2, APIs: 4, Instructions: 206
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00B1E966
ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 00B1E9D7
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00B1EADD

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 116adc52b3b001e8f44a1f6430a2d26b5a9fe1db0084f6f25b8c1f08e13d998f
Instruction ID: ec3dc99ead4de0bd6be002623301c384519ce9819b89668c087ab3b2c136213d
Opcode Fuzzy Hash: 116adc52b3b001e8f44a1f6430a2d26b5a9fe1db0084f6f25b8c1f08e13d998f
Instruction Fuzzy Hash: 1981EE75A10204DBD324DF68FC92AAA37F5F788700F609559E9158B2A0EF70E882CF95

Function 00B1C640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00B02591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00B02591), ref: 00B1C701
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00B1C737
FreeSid.ADVAPI32(?), ref: 00B1C798

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 14c516fb8f5af8f018cac835f7f36d515705ccd7d3778659595af958adb41680
Instruction ID: 06f72e462d13ebfda774a84c57ad0bddbb1e39655d1353e1f161329599353d91
Opcode Fuzzy Hash: 14c516fb8f5af8f018cac835f7f36d515705ccd7d3778659595af958adb41680
Instruction Fuzzy Hash: 7341E335A40244DFC728DF68EDD6AAE7BF1FB58301B60815AE506C7261EF34A986CF05

Function 00B06F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00B09195,021A1850,?,?,?,?,?,00B16DD6), ref: 00B06F59
RtlAllocateHeap.NTDLL(00000000,?,00B09195,021A1850,?,?,?,?,?,00B16DD6), ref: 00B06F60

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 885c24713766a8c2bba75ab1eec1b884f5292eb44a8e4489261e273c81e6abda
Instruction ID: 50bcf812fd60a58b68b8a241a8bb590f3fbbabe640e9b4f41dbeda65eefe7f20
Opcode Fuzzy Hash: 885c24713766a8c2bba75ab1eec1b884f5292eb44a8e4489261e273c81e6abda
Instruction Fuzzy Hash: 10F0A0315107018BCB18EB64FD9AB293BE9FB547017244018F606CB6B0EEB6A511C798

Function 00B0C520 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00B20A4E,?,00B20A4E,00000000), ref: 00B0C549
RtlFreeHeap.NTDLL(00000000,?,00B20A4E,00000000), ref: 00B0C550

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a7363363fd3943a5f69fa9252f7fdbcb32a461d28bacd20d69e852dc80cc7431
Instruction ID: f48131e8be93ceeacf9e347d77410ab6dffba8d46b10206b2516ead8b12501ac
Opcode Fuzzy Hash: a7363363fd3943a5f69fa9252f7fdbcb32a461d28bacd20d69e852dc80cc7431
Instruction Fuzzy Hash: 41F065759082049FD6149F59EC9A6793BF4EB44704F204509E905C76B0DF70F881CB55

Function 00B02290 Relevance: 3.0, APIs: 2, Instructions: 21
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00B022A2
CharLowerBuffA.USER32(?,00000000), ref: 00B022BE

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 7e11cf5253f734c63ffc59622f0812918a26e40ce20e3d5feb64136b9b8a6999
Instruction ID: 7e50eba5f1c455de74b52b4eb012d954356287ce68a59f9cce4bb0dd46c1903f
Opcode Fuzzy Hash: 7e11cf5253f734c63ffc59622f0812918a26e40ce20e3d5feb64136b9b8a6999
Instruction Fuzzy Hash: 1FE04F72144A249B83509F98FD594FD77FCFA157023244056F54AC35B0EF74594287A5

Function 00AF72E0 Relevance: 1.7, APIs: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00AF7452

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 45ec18f201d62852079bcaccadcb6b44f8190c5ed22c10afdb4dadafc7f54aee
Instruction ID: 88e88342c7c49c8245fb94fd0fab90512172786b20cf7236e7120d6acad8e597
Opcode Fuzzy Hash: 45ec18f201d62852079bcaccadcb6b44f8190c5ed22c10afdb4dadafc7f54aee
Instruction Fuzzy Hash: 8E51E476A012149BD328DB28FC92ABE37F5F794711F20812AF501C72A4EF749882CB45

Function 00B12780 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00B127B0

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3a26f2d805ecdc23a391252699bdc580ee1e81a25ed89ce746e1b59605108716
Instruction ID: 4b486bc3329f9c2edccbbb948e68b218cb47907cae4830e81e15e52aab6f6ee0
Opcode Fuzzy Hash: 3a26f2d805ecdc23a391252699bdc580ee1e81a25ed89ce746e1b59605108716
Instruction Fuzzy Hash: 33D05E704303088AC710AF60FDA592A37ACFA607017101416A4008F2A0EF78F68287D1

Non-executed Functions

Function 00B1EEB0 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 444pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 00B1F00B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00B1F086
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 00B1F0A6
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00B1F147
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00B1F2C2
CloseHandle.KERNEL32(00000000), ref: 00B1F353
CloseHandle.KERNEL32(?), ref: 00B1F367
CloseHandle.KERNEL32(00000000), ref: 00B1F37B
CloseHandle.KERNEL32(00000000), ref: 00B1F3A9
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00B1F446
CloseHandle.KERNEL32(00000000), ref: 00B1F4D4
CloseHandle.KERNEL32(00000000), ref: 00B1F4E8
WaitForSingleObject.KERNEL32(?,00002710), ref: 00B1F56B
CloseHandle.KERNEL32(?), ref: 00B1F586
CloseHandle.KERNEL32(?), ref: 00B1F5A7

Strings

D, xrefs: 00B1F1D6
;8\w, xrefs: 00B1F4FA
<,]8, xrefs: 00B1F2D1

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: ;8\w$<,]8$D
API String ID: 1130065513-4129721015
Opcode ID: c6688a8493b1373ac1444664726a0a4c2751b736869e7cd2d441b47a14e02a92
Instruction ID: d240a682863daaf8fd8fb11ac8ec2881a324224d7450fa11d3e0d27a58122946
Opcode Fuzzy Hash: c6688a8493b1373ac1444664726a0a4c2751b736869e7cd2d441b47a14e02a92
Instruction Fuzzy Hash: 7712E175A10205DFC728CF68ED95ABE37F5FB58711B20812AE802D72B4EF349982CB55

Function 00B1B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00B1B8EC
Process32First.KERNEL32(00000000,00000128), ref: 00B1BA96

Strings

9y8, xrefs: 00B1BC13

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 9y8
API String ID: 2353314856-3592070472
Opcode ID: d3985a602ebdce832e787dc3c2f0376ee51ce7a005237906b29690c5d4c3a72d
Instruction ID: ac0b6ee245d05f3a06fa8d4d291d4cfa9f2078f716df3e50a608de51c3127f33
Opcode Fuzzy Hash: d3985a602ebdce832e787dc3c2f0376ee51ce7a005237906b29690c5d4c3a72d
Instruction Fuzzy Hash: 6BF13671A10214CBC728DF29ED92ABE37F5FB94710B60816AE406C7374EF749982CB51

Function 00AF60A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF40B0: lstrlen.KERNEL32(?,?,00AF1038,?), ref: 00AF40DD

Sleep.KERNEL32(000003E8), ref: 00AF6189
FindFirstFileA.KERNEL32(?,?), ref: 00AF6274
DeleteFileA.KERNEL32(?), ref: 00AF632E
FindNextFileA.KERNEL32(?,?), ref: 00AF6384
FindClose.KERNEL32(?), ref: 00AF63AA

Strings

ysh, xrefs: 00AF6159, 00AF6169

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
String ID: ysh
API String ID: 3282225923-1904326249
Opcode ID: f95743d9eca89caa346c6a9daf36de6f2a99018618ff748979bfbe3f54113cf8
Instruction ID: 3b5f417c8050f7aece6e9eeee8f9b66c26b63b6b759b99df6ab91e4ea20c4eab
Opcode Fuzzy Hash: f95743d9eca89caa346c6a9daf36de6f2a99018618ff748979bfbe3f54113cf8
Instruction Fuzzy Hash: 5F81E275900214DFC728DF64FD96AAD77B5FBA4300F24815AE505872B4EF709A42CB51

Function 00B1A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 00B1A124
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 00B1A164
GetLastError.KERNEL32(?,00000000,00000001), ref: 00B1A176
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 00B1A24F

Part of subcall function 00AFBBA0: wvsprintfA.USER32(00000000,?,00B109D1), ref: 00AFBBEB

CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 00B1A44C

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
String ID:
API String ID: 475583450-0
Opcode ID: 544cf989f7b6693f09aa740b643a2596ae2cff88adda165f2bb215fed345bee0
Instruction ID: e49224069d103ed8a10b0b88c7fc97788fe5cdcd36e53d90c9da6461b2c4d25d
Opcode Fuzzy Hash: 544cf989f7b6693f09aa740b643a2596ae2cff88adda165f2bb215fed345bee0
Instruction Fuzzy Hash: D1C10372901214DBD324CF68FD91AAE77F5FB58700F60812AE505DB3A4EF70A942CB56

Function 00B12950 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 309sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00B12CB0
Sleep.KERNEL32(00015F90), ref: 00B12E36
DeleteFileA.KERNEL32(?), ref: 00B12E4D

Strings

X>U, xrefs: 00B12D04

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: File$DeleteModuleNameSleep
String ID: X>U
API String ID: 2157229623-3341424668
Opcode ID: 211cdc8fe7e5b59c7536c903967960346e485d152ad6051d61b21223849f60f3
Instruction ID: 8566fd3b7f4db3271b0c9d635ffe12c19abea93e5f945a1804cf2eba29b537f8
Opcode Fuzzy Hash: 211cdc8fe7e5b59c7536c903967960346e485d152ad6051d61b21223849f60f3
Instruction Fuzzy Hash: DBD143729102049BC328EF68FC92BBE37F5FB98701F60455AE5058B2B5EF349982CB55

Function 00AFB150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00AFB1D7
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00AFB256
CloseHandle.KERNEL32(00000000), ref: 00AFB26B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AFB2E7
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00AFB31A
CloseHandle.KERNEL32(00000000), ref: 00AFB334

Strings

td9k, xrefs: 00AFB23D

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: td9k
API String ID: 3236713533-1579400769
Opcode ID: 41205219c3b3bafd17c0875066cd4cd2e4e07629fb18c84e88049e678fc9ccf3
Instruction ID: 9daad7db8d54cd4a244007bb7b870c26c9c1bc84c67a9fba23228992f9cd2d5e
Opcode Fuzzy Hash: 41205219c3b3bafd17c0875066cd4cd2e4e07629fb18c84e88049e678fc9ccf3
Instruction Fuzzy Hash: 0151C175611205EBC324DF6DED81AAE77B5FB84714F20822AE8058B6A0EF309D42CF95

Function 00AFB531 Relevance: 12.2, APIs: 8, Instructions: 188registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(0054FC10,Function_00014290,?,?,00000072), ref: 00AFB669
SetServiceStatus.ADVAPI32(00000000,00B367EC,?,?,00000072), ref: 00AFB70D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 00AFB721
SetServiceStatus.ADVAPI32(00000000,00B367EC,?,?,00000072), ref: 00AFB771
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 00AFB7D0
SetServiceStatus.ADVAPI32(00000000,00B367EC,00000072), ref: 00AFB82A
CloseHandle.KERNEL32(00000000), ref: 00AFB841
SetServiceStatus.ADVAPI32(00000000,00B367EC), ref: 00AFB8AA

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: f784a1ec2f0c0fcd837d025a9b46b964c829c1be12759a184cd95d7e8e706506
Instruction ID: def6c13fa6939f848d9fae428a6902164355ed2b411340ea2263b9038d80282c
Opcode Fuzzy Hash: f784a1ec2f0c0fcd837d025a9b46b964c829c1be12759a184cd95d7e8e706506
Instruction Fuzzy Hash: 5081D976611211DBC328DF29FD9582E3BF5FB68705760C52AE822CB2B4EF749802CB55

Function 00B1A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 00B1A7F1
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 00B1A849
CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 00B1A885
GetTickCount.KERNEL32 ref: 00B1A8B8
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00B1AA75
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 00B1AAC8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B1AAE2

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: a19a3c6c8cc38e9a61f2771b0d348a26b8d611ae3a9f9ac4696e35413c1d7915
Instruction ID: 62e788e04d62eb7eaf8230f7a04a842b436f1e74c689f556286072296035505c
Opcode Fuzzy Hash: a19a3c6c8cc38e9a61f2771b0d348a26b8d611ae3a9f9ac4696e35413c1d7915
Instruction Fuzzy Hash: D3A1E175601210DBD314DF28ED82BBE33F5EB98711F64412AF905D72A4EF74A882CB96

Function 00B11E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B11F5E
Process32First.KERNEL32(00000000,00000128), ref: 00B11FDC
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B120A2

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: d532f5600799d16b804ccfacf74bf7824c0ca3b034dabdcffe453e00e65e1666
Instruction ID: 2442ab5c43a34daa980afcf12a646de42df7b0d60f379414e1fec567f341d356
Opcode Fuzzy Hash: d532f5600799d16b804ccfacf74bf7824c0ca3b034dabdcffe453e00e65e1666
Instruction Fuzzy Hash: 6CA10EB5501200CFC328DF28EC96AAD73F5FB64311B20816AD805DB274EF349A92CF45

Function 00B07110 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00B07221
RegSetValueExA.ADVAPI32(?,00554B50,00000000,00000001,?,00000000), ref: 00B072E0
RegCloseKey.ADVAPI32(?), ref: 00B07300

Strings

IR, xrefs: 00B07313
PKU, xrefs: 00B072CC

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CloseOpenValue
String ID: PKU$IR
API String ID: 779948276-2662544209
Opcode ID: 58044019b44c67282ac38e541a5d35c4f6892065c7a0a14e2e0bed8b313aa473
Instruction ID: 5a6fa31c9f0db4bc0792ad0bba9fba42b7d452bbaa62a5488a970f17cf401811
Opcode Fuzzy Hash: 58044019b44c67282ac38e541a5d35c4f6892065c7a0a14e2e0bed8b313aa473
Instruction Fuzzy Hash: 624157756112009BD724DF28FC82A7E77F5E754711B24412AF841C73B0EF789842CB56

Function 00B11950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00B18262,Function_00001300,00000001,?), ref: 00B1199B
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00B119C2
CloseHandle.KERNEL32(00000000,?,00B18262,Function_00001300,00000001,?), ref: 00B119DD
WaitForSingleObject.KERNEL32(?,000000FF,?,00B18262,Function_00001300,00000001,?), ref: 00B119F2
CloseHandle.KERNEL32(?,?,000000FF,?,00B18262,Function_00001300,00000001,?), ref: 00B11A19

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 00e2fcd53501b4dc7d1d45352264b5e5e22d9804ed5a27d86dd754f975f19d35
Instruction ID: 164d0c1df44b8e6419b2b4e5263cab1a2f78975c2a5f1ecf7aef968d026dba44
Opcode Fuzzy Hash: 00e2fcd53501b4dc7d1d45352264b5e5e22d9804ed5a27d86dd754f975f19d35
Instruction Fuzzy Hash: 2D21E431200300EFC324DF24EC96F6A3BA4FB58710F208519FA568B6B4DFB09841CB95

Function 00B0C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B0C312
Process32First.KERNEL32(00000000,?), ref: 00B0C35A
Process32Next.KERNEL32(00000000,00000128), ref: 00B0C478

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 75f552bce8d71ed9039c9a45bf8aeb7afca1699cdae6500ded9fcbed46ac865c
Instruction ID: c704f3cc7f5cb22736e5958db822f5404f2f51ce1a006db1178c0fb034a5a500
Opcode Fuzzy Hash: 75f552bce8d71ed9039c9a45bf8aeb7afca1699cdae6500ded9fcbed46ac865c
Instruction Fuzzy Hash: C0512171910211CBD728CF24FD95AAD3BF6FB84300F20816AE8069B6A4EF749981CF95

Function 00B1FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00B20A87,00000000,?,?,?,?,?,00000001), ref: 00B1FAF7
RtlReAllocateHeap.NTDLL(00000000,?,00B20A87,00000000), ref: 00B1FAFE
GetProcessHeap.KERNEL32(00000000,?,?,00B20A87,00000000,?,?,?,?,?,00000001), ref: 00B1FB19
HeapAlloc.KERNEL32(00000000,?,00B20A87,00000000,?,?,?,?,?,00000001), ref: 00B1FB20

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 903f10f4ad451b2107e34eb43bf9aa422be929c8b15f0fd054b65e33988e0edf
Instruction ID: 7358e3b72ca222a114afb06180729b66245ffee2c6e8e9692317b560901253cb
Opcode Fuzzy Hash: 903f10f4ad451b2107e34eb43bf9aa422be929c8b15f0fd054b65e33988e0edf
Instruction Fuzzy Hash: 37F01C70510205FFDB149FB4EC09AAA3B68FB88611F208118F919C76A0DF319941CB65

Function 00AF3DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00AF3E43
__aulldiv.LIBCMT ref: 00AF3E74

Strings

L9<8, xrefs: 00AF3F4F

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID: L9<8
API String ID: 2838486344-2160928743
Opcode ID: 22b184205a9d3e92e25608c108c7b9bae37f6efb94ead7c716d4fda6dc8038dd
Instruction ID: 4276f45f10f595d76be67b7f861da57eb0ad571fc2eeb9b624de3213350743ea
Opcode Fuzzy Hash: 22b184205a9d3e92e25608c108c7b9bae37f6efb94ead7c716d4fda6dc8038dd
Instruction Fuzzy Hash: 7641FFB6A106048BCB29CF48EDA163D77B6FB95B14720811AE5069B770DF74AD42CB81

Function 00B199B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00B19A16
GetTickCount.KERNEL32 ref: 00B19B6B

Strings

@(l$, xrefs: 00B19ABD

Memory Dump Source

Source File: 00000002.00000002.1388860445.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1388849292.0000000000AF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388883648.0000000000B22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388905084.0000000000B23000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388917333.0000000000B26000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1388935034.0000000000B3F000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_ew3dvaplid9hjn8.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @(l$
API String ID: 2164215191-2034585603
Opcode ID: d2fc221eb3cd5d5781555cedc7d9a25187500a3363fa591f403e6009e5e657a4
Instruction ID: f4d9a879e10aa2fac51f188efdca526381aceeb68e06760db8c1b565639b3968
Opcode Fuzzy Hash: d2fc221eb3cd5d5781555cedc7d9a25187500a3363fa591f403e6009e5e657a4
Instruction Fuzzy Hash: FB418B72911210CBD364DF28FCD29BE37E1FB94721364452AD846CB674EF35A942CB50

Analysis Process: qbpabupgx.exePID: 7908, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	18.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1372
Total number of Limit Nodes:	18

Executed Functions

Function 00502490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0053EAC8), ref: 00502572
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 005026EF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00502843
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0050289F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0050293F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005029E1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00502CAC
CreateDirectoryA.KERNEL32(?,00000000), ref: 00502D6E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00502EB0
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0050307B
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 005031FA
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0050344D

Strings

C:\daxjjwrfm\, xrefs: 00502960, 00502CC9, 00503032, 0050321C
C:\Windows\system32\config\systemprofile, xrefs: 00502B0A, 00502BCC
\, xrefs: 00502F41
Wq0O, xrefs: 00502FE3

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\$Wq0O$\
API String ID: 1691758827-4043548932
Opcode ID: 10a20bd2fff71b9c33fd19f19173668c0e255fe948bce9cf662433ab58a03724
Instruction ID: 191e156553f982054ec22c17c3643e758e7d0e5aaac4378aa48f09f0456594ce
Opcode Fuzzy Hash: 10a20bd2fff71b9c33fd19f19173668c0e255fe948bce9cf662433ab58a03724
Instruction Fuzzy Hash: E68215B5900205CBD728DF24FC96ABA3BB5FBB5310F00812AE501C73A1E774998EEB55

Function 005101B0 Relevance: 27.3, APIs: 10, Strings: 5, Instructions: 1003
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 005103F1
SbJ, xrefs: 00510E0D
!|/0, xrefs: 00510AE8
'~(-, xrefs: 00510449
*c, xrefs: 00510F6B

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Time$FileSystem__aulldivlstrlen
String ID: !|/0$'~(-$/$SbJ$*c
API String ID: 3360920532-2717626210
Opcode ID: b1b790b3f7b81c8fa2ce45db68ab87ce95b7e169a763bc112be256559906949a
Instruction ID: 690b86677b8b1042dcf128590ac322520662a30b51cd324673d235af2e749682
Opcode Fuzzy Hash: b1b790b3f7b81c8fa2ce45db68ab87ce95b7e169a763bc112be256559906949a
Instruction Fuzzy Hash: 0B9235759002058BE718DF24FC966BA7BB5FFB5310F10802AE4069B3A1EB745D8AEF54

Function 0051DB50 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 662
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001), ref: 0051DD1A
LoadLibraryA.KERNELBASE(00000000,?,?,?,?,?,?,00000000,00000001), ref: 0051DDBB
GetProcAddress.KERNEL32(00000000,00000000), ref: 0051DE59
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0051DEBE
HeapAlloc.KERNEL32(0051D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0051DF03
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0051DF39
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0051DF73
HeapFree.KERNEL32(0051D075,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0051DFDD
HeapAlloc.KERNEL32(0051D075,00000000,00000288,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0051E00E
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0051E035

Strings

J)6v, xrefs: 0051DC3A

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: FreeHeapLibrary$Alloc$AdaptersAddressInfoLoadProcProcess
String ID: J)6v
API String ID: 994048614-3523960662
Opcode ID: 4666c6109c45b0fb6bce33a652e0093121c6ea420c36e27a04e32e032a54126f
Instruction ID: c1e018290506a6815531203ffb6cc320e00762b01890fd1f04ffdd9b1d85f227
Opcode Fuzzy Hash: 4666c6109c45b0fb6bce33a652e0093121c6ea420c36e27a04e32e032a54126f
Instruction Fuzzy Hash: D252E276A00701DFD728DF28FC926AA7BF5FB79311B10452AE805C7360E774988AEB51

Function 005000C8 Relevance: 21.6, APIs: 7, Strings: 5, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 005003F9

Strings

x7;C, xrefs: 00500C47
C:\Windows\system32\config\systemprofile, xrefs: 005003F3
jjj, xrefs: 00500421
hC<, xrefs: 00500968
h5, xrefs: 005003BB

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: EnvironmentVariable
String ID: C:\Windows\system32\config\systemprofile$hC<$h5$jjj$x7;C
API String ID: 1431749950-3980740699
Opcode ID: f99dfcf5394d60968390ecec54a6edb0c87df95c96dc0454d809be7bfc946214
Instruction ID: ef3ec30f2ec3ce0419c1379b277aefb9cd9b4ac765bf1d2f8d542ad47081c240
Opcode Fuzzy Hash: f99dfcf5394d60968390ecec54a6edb0c87df95c96dc0454d809be7bfc946214
Instruction Fuzzy Hash: C8420075A01300DBD728DF64EC96A7A7BF5FBB5300F04812AE501DB3A1E778994AEB50

Function 004F60A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F40B0: lstrlen.KERNEL32(?,?,004F6175,?,00000104,?,00000001), ref: 004F40DD

Sleep.KERNELBASE(000003E8,00000001), ref: 004F6189
FindFirstFileA.KERNELBASE(?,?), ref: 004F6274
DeleteFileA.KERNELBASE(?), ref: 004F632E
FindNextFileA.KERNELBASE(?,?), ref: 004F6384
FindClose.KERNEL32(?), ref: 004F63AA

Strings

xsh, xrefs: 004F6159, 004F6169

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
String ID: xsh
API String ID: 3282225923-3135071692
Opcode ID: f8ec8245a0bcac3e2aef34977cb55842e5569b2014397e17fc668967bebfed9d
Instruction ID: aad53a61532cc791b1fffa7fc909abe316018e1907298dc2d1f547854891b950
Opcode Fuzzy Hash: f8ec8245a0bcac3e2aef34977cb55842e5569b2014397e17fc668967bebfed9d
Instruction Fuzzy Hash: 69812375900208DFD728DF64EC96AAA77B5FBB5300F04815AE505873B0FB348A4AEF95

Function 0051FE10 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 573
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\daxjjwrfm\tkjnbticppc.exe, xrefs: 005207EF
1BJ, xrefs: 00520617
mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe", xrefs: 005207EA

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CountSystemTickTime
String ID: 1BJ$C:\daxjjwrfm\tkjnbticppc.exe$mdziuzwugsse "c:\daxjjwrfm\qbpabupgx.exe"
API String ID: 2164215191-4072432483
Opcode ID: c6b489a25a75e5dc67b95ed5fbaa8524a00fc41a512a07b86ec76d2f72bee9e3
Instruction ID: 20e874b524a5e9daf7aae4d4fa8b31866ef7ae0801a4e3a42cb2a425faad1933
Opcode Fuzzy Hash: c6b489a25a75e5dc67b95ed5fbaa8524a00fc41a512a07b86ec76d2f72bee9e3
Instruction Fuzzy Hash: EA420275901214CBD718DF64FC92AAA7BB5FFB5300F00912AE406973A1E774A98DEF90

Function 00513060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?), ref: 0051327A
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0051344B
CloseHandle.KERNELBASE(?), ref: 005134DA

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 17d8521d14145fc7bc6c83212f19c104c6005fa41d0f87f7218c3af8e0884384
Instruction ID: 8e27b6526896857904cd0ff1c324a724d8a5ea235daca7b14da74286495bc27a
Opcode Fuzzy Hash: 17d8521d14145fc7bc6c83212f19c104c6005fa41d0f87f7218c3af8e0884384
Instruction Fuzzy Hash: 52C11476A10614DBD314CF68FC916AA37F5FBB9321B10852AE801C7374E774998EEB84

Function 00517040 Relevance: 4.8, APIs: 3, Instructions: 256
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00517229
GetProcAddress.KERNEL32(76DA0000,00000000), ref: 00517275
CryptGenRandom.ADVAPI32(00000000,00000004,00000000,00000000), ref: 005173AD

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID:
API String ID: 646182245-0
Opcode ID: eade699de112849c458a910d0d94e4e6ec23e414c61cbe0963e3043531b5af23
Instruction ID: 029e2dfc082a6bb47b58d86b1e36918a7de1fdc9a5f8e525c41e007eac039ece
Opcode Fuzzy Hash: eade699de112849c458a910d0d94e4e6ec23e414c61cbe0963e3043531b5af23
Instruction Fuzzy Hash: 5FB1E475A15205CBE728CF28FD966A53BF1FB7A310B104129E502CB3B0E774988EEB55

Function 0051CBE0 Relevance: 2.1, APIs: 1, Instructions: 633COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 0051CD44

Part of subcall function 004F40B0: lstrlen.KERNEL32(?,?,004F6175,?,00000104,?,00000001), ref: 004F40DD

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: ComputerNamelstrlen
String ID:
API String ID: 4141851928-0
Opcode ID: 8a1024c9c2b1a69df00d3d75c16b7783a702f71b8d7740672cddcaa6d0647d53
Instruction ID: b74b531a57a5b7910d7e0d0207a3517b7ce0dc48903507ee331d0ed5cec9bb7f
Opcode Fuzzy Hash: 8a1024c9c2b1a69df00d3d75c16b7783a702f71b8d7740672cddcaa6d0647d53
Instruction Fuzzy Hash: F052F371900205DBD718DB24EC96AFA77B5FFB4300F00812AE506973B1EB746A8DEB65

Function 00515010 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0051503B

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 8273449e3c11957da7bf6753792eb30e2c2634279a9f81f57d0dd150fa6d2561
Instruction ID: 8922d660a62a59fcf84307b5c6f79bff72624ef19b313e60e3a9cbcad86a89a4
Opcode Fuzzy Hash: 8273449e3c11957da7bf6753792eb30e2c2634279a9f81f57d0dd150fa6d2561
Instruction Fuzzy Hash: 48F05871D142099FCB04CF68EC414AA7BF8FB24319B4449A9E804C3364F7799608EB85

Function 004FB531 Relevance: 12.2, APIs: 8, Instructions: 190
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(014BE398,Function_00014290,E4E0A1C8,?,?,00000005,00000072), ref: 004FB669
SetServiceStatus.SECHOST(014CB380,005367EC,?,?,00000005,00000072), ref: 004FB70D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000005,00000072), ref: 004FB721
SetServiceStatus.ADVAPI32(014CB380,005367EC,?,?,00000005,00000072), ref: 004FB771
WaitForSingleObject.KERNEL32(00000200,00001388,?,?,00000005,00000072), ref: 004FB7D0
SetServiceStatus.ADVAPI32(014CB380,005367EC,00000072), ref: 004FB82A
CloseHandle.KERNEL32(00000200), ref: 004FB841
SetServiceStatus.ADVAPI32(014CB380,005367EC), ref: 004FB8AA

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 677aa3be026c03c0fe0b516d59a632f7594c883b4c78abf6aeb27e3b00c06d4a
Instruction ID: f4f0018728c419f8cfecdbaae4b519a73ce5eda520089d6aa4f3602f14074058
Opcode Fuzzy Hash: 677aa3be026c03c0fe0b516d59a632f7594c883b4c78abf6aeb27e3b00c06d4a
Instruction Fuzzy Hash: C481B6765012029BD318CF25EC969263BE5FBBA705700C51EE4028B3B4E778980EEBA4

Function 005138B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,005207F9,00000000,00000000,00000000,00000008,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00513A0F
CloseHandle.KERNEL32(005207F9,?,?,?,?,00000001), ref: 00513A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000001), ref: 00513A52

Strings

D, xrefs: 005139D3

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: aecdb84193c2a7d380190bbe05b6701e3230cbba8a6f4f967688f6525b8ed406
Instruction ID: 91cd1be997e62dcbb78daf1141870388b387eed6e60f39a38e173e5454c8e2f8
Opcode Fuzzy Hash: aecdb84193c2a7d380190bbe05b6701e3230cbba8a6f4f967688f6525b8ed406
Instruction Fuzzy Hash: 934114719002049BE718CF58ECA1BA93BB5FF74711F00801AE506DB3A4E3B0998DEB95

Function 0050C250 Relevance: 6.1, APIs: 4, Instructions: 148
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 0050C312
Process32First.KERNEL32(00000000,?), ref: 0050C35A
Process32Next.KERNEL32(00000000,00000128), ref: 0050C478

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 1b01acbddde3d817a65811b735ca47c92349ec9a923f52d712c4bcabede62f79
Instruction ID: 2344b23ddd607dce317d333a3dab4954136f0e739ba4d9347d3ca6a54a53cca5
Opcode Fuzzy Hash: 1b01acbddde3d817a65811b735ca47c92349ec9a923f52d712c4bcabede62f79
Instruction Fuzzy Hash: 27512375900211CBD728CF20FD596B93BB5FBB5301F00851AE8069B7A4EB74998DEF91

Function 0051C640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00502591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00502591), ref: 0051C701
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0051C737
FreeSid.ADVAPI32(?), ref: 0051C798

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8e61836a5dc05a45d102f951ec7aadb2114f11d33f98e1e989b61967afa8c4f8
Instruction ID: 410d4a1312071602542d86abd6b4fca513e3a0de0a5d0e3c653abd400d0f4e1c
Opcode Fuzzy Hash: 8e61836a5dc05a45d102f951ec7aadb2114f11d33f98e1e989b61967afa8c4f8
Instruction Fuzzy Hash: 6741D075A40244DFD728CFA8ED969A97BF5FF7A300B108159E502C7361E734A98AEF01

Function 0050C389 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 0050C478
CloseHandle.KERNELBASE(00000000), ref: 0050C4D5

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: c4adb7338b0f2335a7f4e44795a9180c017124d1fa46edfe308d7f0cb7c3618a
Instruction ID: 2bbf92eae1f838336d16aa496d07d0f65062ae3c8b72a54e55c8f50cf3dd4a83
Opcode Fuzzy Hash: c4adb7338b0f2335a7f4e44795a9180c017124d1fa46edfe308d7f0cb7c3618a
Instruction Fuzzy Hash: 7A3127759003059BD728DF20ED656E93BB9FBA4300F008559D5069A3A0E7745A8CDF50

Function 00506F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00509195,021A1850,?,?,?,?,?,00516DD6), ref: 00506F59
RtlAllocateHeap.NTDLL(00000000,?,00509195,021A1850,?,?,?,?,?,00516DD6), ref: 00506F60

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: eb7a7bac68dc25a35947aa9073998a099607100a44d80c7521c787be83f224e9
Instruction ID: 002797277f65f3d58164fb421510dbd01186f919f70c284151ec41845791274a
Opcode Fuzzy Hash: eb7a7bac68dc25a35947aa9073998a099607100a44d80c7521c787be83f224e9
Instruction Fuzzy Hash: 00F0EC35500B018BCF18EB64FC99A243BB9FF66601B044008E502876A0EAB2A40897A8

Function 0050C520 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000002,?,0051387D,00003C1C,00003C1C,00000000,-00000002,00000000,?,004F622A,00000002,00000000,?,00000000,00003C1C), ref: 0050C549
RtlFreeHeap.NTDLL(00000000,?,0051387D,00003C1C,00003C1C,00000000,-00000002,00000000,?,004F622A,00000002,00000000,?,00000000,00003C1C,00000002), ref: 0050C550

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 1383c515e6d3cca8a1fa63529ae975c54e9b30d4854b37b33bf0016898108c28
Instruction ID: b34a37147e411ef864164982d009ba6b352d1cb11e4362b7967fbd85c8cdd530
Opcode Fuzzy Hash: 1383c515e6d3cca8a1fa63529ae975c54e9b30d4854b37b33bf0016898108c28
Instruction Fuzzy Hash: 68F065759083049FDA149F58EC9A6657BF4FB59704F004509E905C7770D770E888EB59

Function 00502290 Relevance: 3.0, APIs: 2, Instructions: 21stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0050C420,00000000,?,0050C420,?), ref: 005022A2
CharLowerBuffA.USER32(0050C420,00000000,?,0050C420,?), ref: 005022BE

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 99e74a921bb08b9b09ddd480d1c6d7f789227808c8229b60e0fb381227d527bf
Instruction ID: 9a8a762a049453b3dfdc03cdcfd0d278da94c66747c9c71cf04bb46b9fbf4a43
Opcode Fuzzy Hash: 99e74a921bb08b9b09ddd480d1c6d7f789227808c8229b60e0fb381227d527bf
Instruction Fuzzy Hash: FBE0DF72100A289B83149F98FC1A0F9B7FCFF393023044056F54AC23B0EB34194AA3A0

Function 004F72E0 Relevance: 1.7, APIs: 1, Instructions: 162fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 004F7452

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 98463e8d08312f06c9f0d4577bbcba76eddb3d0759a57e300757b7cef36c19d1
Instruction ID: 2ecf39cb398a1d4e12b3fabf145856cfd9bfd62203ab4ac7993447f4295bc689
Opcode Fuzzy Hash: 98463e8d08312f06c9f0d4577bbcba76eddb3d0759a57e300757b7cef36c19d1
Instruction Fuzzy Hash: 41510676A012149BD328DB28FC936B637B5FBB5711F10802AE501C77B5E738988AEB54

Function 005135C0 Relevance: 1.7, APIs: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00000708,00000000), ref: 00513753

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4ee43757adf189a0e8221d7bc5109cfdd92ab787178bb144b7910912a34132ba
Instruction ID: c0463541f3fcf3a5629fd65ae0bb0793d94f57588292e688c8b94562e6eefab1
Opcode Fuzzy Hash: 4ee43757adf189a0e8221d7bc5109cfdd92ab787178bb144b7910912a34132ba
Instruction Fuzzy Hash: 9951CDB6A007109BEB14DF64FC92A653BE5FB74714F10412AE505CB3B0E7789989EB90

Function 0051C080 Relevance: 1.4, APIs: 1, Instructions: 153sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8,00000000,?,0052007D,?,00000708,00000000), ref: 0051C1C3

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7c64b017846e94ac650a79917a277156b810381d8c927aba56ef80ebd640015f
Instruction ID: 38f5c5f8f96cefd14f2c825b6cf6dbd0b03689cc2e53f08e0c5172689545836b
Opcode Fuzzy Hash: 7c64b017846e94ac650a79917a277156b810381d8c927aba56ef80ebd640015f
Instruction Fuzzy Hash: AF514B75940311DBE314DB24EC926757BF4FBB5721B00542AE842C77B0E778898AFB91

Non-executed Functions

Function 0051EEB0 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 444pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0051F00B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0051F086
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 0051F0A6
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0051F147
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0051F2C2
CloseHandle.KERNEL32(00000000), ref: 0051F353
CloseHandle.KERNEL32(?), ref: 0051F367
CloseHandle.KERNEL32(00000000), ref: 0051F37B
CloseHandle.KERNEL32(00000000), ref: 0051F3A9
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0051F446
CloseHandle.KERNEL32(00000000), ref: 0051F4D4
CloseHandle.KERNEL32(00000000), ref: 0051F4E8
WaitForSingleObject.KERNEL32(?,00002710), ref: 0051F56B
CloseHandle.KERNEL32(?), ref: 0051F586
CloseHandle.KERNEL32(?), ref: 0051F5A7

Strings

^KO, xrefs: 0051F522, 0051F5F1, 0051F541
<,]8, xrefs: 0051F2D1
;8\w, xrefs: 0051F4FA
D, xrefs: 0051F1D6

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: ;8\w$<,]8$D$^KO
API String ID: 1130065513-1725895288
Opcode ID: d20b1d3c7b00d9632f5a24d01d7c176b4618b91d5a80a787e7baf0a8ad2b4a77
Instruction ID: 1ffbec5ba7fb7b15108d4b48eb33f1e62d76f55af6b41bb3e4e9af5665493129
Opcode Fuzzy Hash: d20b1d3c7b00d9632f5a24d01d7c176b4618b91d5a80a787e7baf0a8ad2b4a77
Instruction Fuzzy Hash: 6512F375A00205DFD718CF64ED96AAA3BB5FBB8710B10852EE402C7374E774994AEF50

Function 0051B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 0051B8EC
Process32First.KERNEL32(00000000,00000128), ref: 0051BA96

Strings

9y8, xrefs: 0051BC13

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 9y8
API String ID: 2353314856-3592070472
Opcode ID: 96d440d3104cb923d9254b65512095fc96d34385dc61b711efd47c8fd1f2c77b
Instruction ID: 331ebdfffea3613c510b6635d6a8b2f16c3dd916333cf525cb04807770717262
Opcode Fuzzy Hash: 96d440d3104cb923d9254b65512095fc96d34385dc61b711efd47c8fd1f2c77b
Instruction Fuzzy Hash: 23F106756002058BE728DF29ED926B93BF5FBB5310B00811EE406C7774E774998EEB91

Function 00508200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0050826F
CreateServiceA.ADVAPI32(00000000,014BE398,014BE398,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005082CA
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00508301
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00508323
CloseServiceHandle.ADVAPI32(00000000), ref: 0050833A
OpenServiceA.ADVAPI32(00000000,014BE398,00000010), ref: 0050838B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 005083C2
CloseServiceHandle.ADVAPI32(00000000), ref: 00508408
CloseServiceHandle.ADVAPI32(00000000), ref: 00508481

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: f5533e8c8e4b26f84d69daf8542cbf29f10eb632ead9a93f8852e522435a9acf
Instruction ID: 12b7849ff8c76961fb44dd2c93466ea639a407ccaa42a7d3edd33e8dcccc5e20
Opcode Fuzzy Hash: f5533e8c8e4b26f84d69daf8542cbf29f10eb632ead9a93f8852e522435a9acf
Instruction Fuzzy Hash: AA61DD726056019BD328CB68FC96B793BF4FBB5701F04951AE841C63B0EB70988EEB51

Function 0051A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 0051A124
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 0051A164
GetLastError.KERNEL32(?,00000000,00000001), ref: 0051A176
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 0051A24F

Part of subcall function 004FBBA0: wvsprintfA.USER32(00000000,?,005109D1), ref: 004FBBEB

CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 0051A44C

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
String ID:
API String ID: 475583450-0
Opcode ID: f49f0f2a1822e63a740aed9446f9ebdae8b7850a6b4fa6b2113ea3f35198f9fc
Instruction ID: e3482ff0f7fdc665b61ffa7633ac0fa46f6be55ee62fdac0fed17894ef3a2b6b
Opcode Fuzzy Hash: f49f0f2a1822e63a740aed9446f9ebdae8b7850a6b4fa6b2113ea3f35198f9fc
Instruction Fuzzy Hash: 13C11776901304DBE724CF64FD8666A7BF5FBB9300F00812AE505DB3A0E774994AEB52

Function 004FB150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 004FB1D7
GetFileTime.KERNEL32(00000000,?,?,?), ref: 004FB256
CloseHandle.KERNEL32(00000000), ref: 004FB26B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004FB2E7
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 004FB31A
CloseHandle.KERNEL32(00000000), ref: 004FB334

Strings

td9k, xrefs: 004FB23D

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: td9k
API String ID: 3236713533-1579400769
Opcode ID: 05dbbae8837fb10b80407aced45ab5da4af33681cb8e5d8d8033e3b2649e0906
Instruction ID: 6525bd4f39822752dea994a0a1b40a29e9095047281f0073eaf5cc0997b19727
Opcode Fuzzy Hash: 05dbbae8837fb10b80407aced45ab5da4af33681cb8e5d8d8033e3b2649e0906
Instruction Fuzzy Hash: 54510575A012059BC324CF68FD81A6AB7B4FFA5314F10821BE805CB3A0E3349C4AEF95

Function 0051A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 0051A7F1
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 0051A849
CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 0051A885
GetTickCount.KERNEL32 ref: 0051A8B8
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0051AA75
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 0051AAC8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0051AAE2

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 65f8071982c8de4c47a415662ebbc549df97e2ed2dd17460a738d376758ac7fa
Instruction ID: 75c2c56b86d268b396b64c91e36d5839ca2243cf9c5de17049196b8af60c8efd
Opcode Fuzzy Hash: 65f8071982c8de4c47a415662ebbc549df97e2ed2dd17460a738d376758ac7fa
Instruction Fuzzy Hash: CEA10475601200DBE315DF28EC96BBA37B5FBB9711F14401AF901C73A0E774988AEB96

Function 00511E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000), ref: 00511F5E
Process32First.KERNEL32(00000000,00000128), ref: 00511FDC
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005120A2

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: af701ee8f9440cbc42e6d9b3e5695d160e85e66caf63c07f59a05150233ecfad
Instruction ID: 1aad6de98c880a19a25ce962f451a210d7801b1da97002cdeb704b2e99fe5b70
Opcode Fuzzy Hash: af701ee8f9440cbc42e6d9b3e5695d160e85e66caf63c07f59a05150233ecfad
Instruction Fuzzy Hash: 42A1FFB5601205DBE728DF24FD966A93BB5FB79311F00411AD806CA370E3349A8EEF54

Function 00511950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00518262,004F1300,00000001,?), ref: 0051199B
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 005119C2
CloseHandle.KERNEL32(00000000,?,00518262,004F1300,00000001,?), ref: 005119DD
WaitForSingleObject.KERNEL32(?,000000FF,?,00518262,004F1300,00000001,?), ref: 005119F2
CloseHandle.KERNEL32(?,?,000000FF,?,00518262,004F1300,00000001,?), ref: 00511A19

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: b76000cc688254885c8657aa1d0d01bab8320dbb6b735524b9715c7adf48c991
Instruction ID: 7d45c67df73eabb6df908d6b6b31eeb90476cb7d10ccffeb449495040903ace8
Opcode Fuzzy Hash: b76000cc688254885c8657aa1d0d01bab8320dbb6b735524b9715c7adf48c991
Instruction Fuzzy Hash: 9621DF31200300AFD328CF60EC9AB263BA4FF69710F10851DF6568B7B4D7B0A849EB95

Function 00507110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00507221
RegSetValueExA.ADVAPI32(?,014C1000,00000000,00000001,?,00000000), ref: 005072E0
RegCloseKey.ADVAPI32(?), ref: 00507300

Strings

IR, xrefs: 00507313

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseOpenValue
String ID: IR
API String ID: 779948276-3379982419
Opcode ID: 4900ef7ae61860c26103c5f88a459d63dc0bc722a3db980a4b5093420eae2617
Instruction ID: a013d1f64df086074499be74a4191ddbb9be7ec844d00d8b99788d391a9ef6a4
Opcode Fuzzy Hash: 4900ef7ae61860c26103c5f88a459d63dc0bc722a3db980a4b5093420eae2617
Instruction Fuzzy Hash: F141687A6012059BD728CF24FC86A7A37F5FBB9311B04441AE802C73B0E778984AFB55

Function 0051E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0051E966
ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 0051E9D7
CloseHandle.KERNEL32(00000000,?,?), ref: 0051EADD

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: df1300e94e39939b06dc35b3fcbd26d61b4633e87ea4f742f32775ddee0fa09f
Instruction ID: fa7e83b56f4a4fa36de4410162861c7c3626bcbbe2c181944d6fffad08efaf15
Opcode Fuzzy Hash: df1300e94e39939b06dc35b3fcbd26d61b4633e87ea4f742f32775ddee0fa09f
Instruction Fuzzy Hash: 9F81F3756002049FD724DF68FC96B6A3BB5FBB6300F104519E905C73A1DB74A88AEF94

Function 0051FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00520A87,00000000,?), ref: 0051FAF7
RtlReAllocateHeap.NTDLL(00000000,?,00520A87,00000000), ref: 0051FAFE
GetProcessHeap.KERNEL32(00000000,?,?,00520A87,00000000,?), ref: 0051FB19
HeapAlloc.KERNEL32(00000000,?,00520A87,00000000,?), ref: 0051FB20

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 00c4dca4bba8ebb8b9edae764b1e0e0cab8cba3926ee672e4bd2926ed8cdf50f
Instruction ID: f760afc4641fc5ef64cf9a07f6beb0a5eecad51b3aee5058c13c223fd5023123
Opcode Fuzzy Hash: 00c4dca4bba8ebb8b9edae764b1e0e0cab8cba3926ee672e4bd2926ed8cdf50f
Instruction Fuzzy Hash: 88F03075510208FFDB14DFB0EC0AAAA3B78FFA9711F108018F909876A0D7319945DB61

Function 004F3DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000001,?,?,0051FF15), ref: 004F3E43
__aulldiv.LIBCMT ref: 004F3E74

Strings

L9<8, xrefs: 004F3F4F

Memory Dump Source

Source File: 00000003.00000002.2146495565.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.2146410268.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146523587.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146539926.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146556366.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.2146578379.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID: L9<8
API String ID: 2838486344-2160928743
Opcode ID: 7ca2ffee964cfd3d63db4516fdea25a1fcbee56ddb76b533541d91e642f439a3
Instruction ID: e880ea11b6cde693592ad15802ff48fd31895958dd7946d1347dd8b2fe770b9a
Opcode Fuzzy Hash: 7ca2ffee964cfd3d63db4516fdea25a1fcbee56ddb76b533541d91e642f439a3
Instruction Fuzzy Hash: F541E2B6A106048BC728CF14FD9153977B2FFB6715724811FD50287760D338A94AEB95

Analysis Process: tkjnbticppc.exePID: 7964, Parent PID: 7908COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1639
Total number of Limit Nodes:	12

Executed Functions

Function 003A00C1 Relevance: 56.1, APIs: 29, Strings: 2, Instructions: 1864sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 003A03F9
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 003A0427
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 003A046A
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 003A0496
GetTickCount.KERNEL32 ref: 003A0587
GetCommandLineA.KERNEL32 ref: 003A063E
Sleep.KERNELBASE(000003E8), ref: 003A0CDF

Part of subcall function 0039B150: CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0039B1D7

Sleep.KERNEL32(00000D05), ref: 003A0BD2

Part of subcall function 0039B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 0039B256
Part of subcall function 0039B150: CloseHandle.KERNEL32(00000000), ref: 0039B26B

Sleep.KERNELBASE(000007D0), ref: 003A0DD1
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 003A0EA8
SetFileAttributesA.KERNEL32(?,00000080), ref: 003A0ECC
CopyFileA.KERNEL32(?,?,00000000), ref: 003A0EFE
SetFileAttributesA.KERNEL32(?,00000002), ref: 003A10B9
SetFileAttributesA.KERNEL32(?,00000080), ref: 003A10E7
GetCommandLineA.KERNEL32(00000000), ref: 003A120E
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 003A132B

Part of subcall function 003A2290: lstrlen.KERNEL32(?), ref: 003A22A2
Part of subcall function 003A2290: CharLowerBuffA.USER32(?,00000000), ref: 003A22BE

MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 003A1663

Part of subcall function 003972E0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00397452

CloseHandle.KERNEL32(00000000), ref: 003A1AC5
SetFileAttributesA.KERNEL32(?,00000080), ref: 003A1AE1
CopyFileA.KERNEL32(?,?,00000000), ref: 003A1B07
SetFileAttributesA.KERNEL32(?,00000002), ref: 003A1B43
Sleep.KERNEL32(000003E8), ref: 003A1CAC
WSAStartup.WS2_32(00000202,?), ref: 003A1947

Part of subcall function 003B2780: ExitProcess.KERNEL32 ref: 003B27B0

Sleep.KERNEL32(000007D0), ref: 003A1DFC
SetFileAttributesA.KERNEL32(003D6680,00000080), ref: 003A1E27
CopyFileA.KERNEL32(?,003D6680,00000000), ref: 003A1E45
SetFileAttributesA.KERNEL32(003D6680,00000002), ref: 003A1E7B

Part of subcall function 003BC080: Sleep.KERNEL32(000003E8), ref: 003BC1C3

Part of subcall function 0039BBA0: wvsprintfA.USER32(00000000,?,003B09D1), ref: 0039BBEB

CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 003A2194
Sleep.KERNEL32(0000C350), ref: 003A2210

Strings

x7;C, xrefs: 003A0C47
C:\Windows\system32\config\systemprofile, xrefs: 003A03F3

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
String ID: C:\Windows\system32\config\systemprofile$x7;C
API String ID: 1500488346-1470472774
Opcode ID: 9a635779f5e543da8b736f73ca75466324a6706586479d712c7a87bad5da2ef1
Instruction ID: 1db7f916f547bc02e68ecc5a9c31b8840e005efe30ba977a6f1a33fb1947fe2a
Opcode Fuzzy Hash: 9a635779f5e543da8b736f73ca75466324a6706586479d712c7a87bad5da2ef1
Instruction Fuzzy Hash: 6703CD75A12200DBD70BDF65FD92A6A77BEFB54300F00812BE902CB6A5EB74A941CF51

Function 003A2490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(003DEAC8), ref: 003A2572
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 003A26EF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 003A2843
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 003A289F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 003A293F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003A29E1
CreateDirectoryA.KERNEL32(?,00000000), ref: 003A2CAC
CreateDirectoryA.KERNEL32(?,00000000), ref: 003A2D6E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 003A2EB0
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 003A307B
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 003A31FA
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 003A344D

Strings

\, xrefs: 003A2F41
C:\daxjjwrfm\, xrefs: 003A2960, 003A2CC9, 003A3032, 003A321C
Wq0O, xrefs: 003A2FE3
C:\Windows\system32\config\systemprofile, xrefs: 003A2B0A, 003A2BCC

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\$Wq0O$\
API String ID: 1691758827-4043548932
Opcode ID: 334b6dba0e38f595a9255119500669c2ee70d5e1caee2bd02ca2df33d8865cd6
Instruction ID: b13d56c303fe16dda2e0571a9d6dd34beee3692b26f5f10fa58e55b99736b2aa
Opcode Fuzzy Hash: 334b6dba0e38f595a9255119500669c2ee70d5e1caee2bd02ca2df33d8865cd6
Instruction Fuzzy Hash: C08214B1A02215CFC70BDF69FC92AA677BDFB54310F00812BE901CB6A1E774AA45CB51

Function 003B3060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 003B327A
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 003B344B
CloseHandle.KERNELBASE(?), ref: 003B34DA

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: cd16494cb8b670606e8f37b080f402d5a6af2a735d7d2a9e5fdd8efb6342f879
Instruction ID: 83d93035a5ad5c7cddb830d9b9c6968e04e1183a8af2e1aaa0cb545c81743413
Opcode Fuzzy Hash: cd16494cb8b670606e8f37b080f402d5a6af2a735d7d2a9e5fdd8efb6342f879
Instruction Fuzzy Hash: 2EC1CD76A22620CBC307DF69FC91AAA73FDF754325F10851BE906CB664E774A981CB40

Function 0039B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0039B1D7
GetFileTime.KERNEL32(00000000,?,?,?), ref: 0039B256
CloseHandle.KERNEL32(00000000), ref: 0039B26B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0039B2E7
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0039B31A
CloseHandle.KERNEL32(00000000), ref: 0039B334

Strings

td9k, xrefs: 0039B23D

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: td9k
API String ID: 3236713533-1579400769
Opcode ID: 39dfe165e49af02f94d97267301dcbd26825f8dcc889f5ab768c1e253834cad8
Instruction ID: 1d354ca82538190dde9aba00709c72f46d6756c3fd982f0999f7b96f92028df4
Opcode Fuzzy Hash: 39dfe165e49af02f94d97267301dcbd26825f8dcc889f5ab768c1e253834cad8
Instruction Fuzzy Hash: CF51D375A12205DFC706DF69FD91A6AB7BDFB84714F10825BE809CB2A0E730A941CF85

Function 003B1E90 Relevance: 10.7, APIs: 7, Instructions: 238
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003B1F5E
Process32First.KERNEL32(00000000,00000128), ref: 003B1FDC
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B20A2

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 87f7d0f8b16089d9c322d21b3e583593b0c18f822ac3e343b34783c078f09bf4
Instruction ID: 6bdd7d889a50565b1f5260669296e3681a294ae7829cee0366e13374c68a9b10
Opcode Fuzzy Hash: 87f7d0f8b16089d9c322d21b3e583593b0c18f822ac3e343b34783c078f09bf4
Instruction Fuzzy Hash: B0A1BBB5502215CBC31BDF29FD96AAA77BEFB64319F01421BD906CA664E734AA40CF40

Function 003B38B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 003B3A0F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 003B3A3E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 003B3A52

Strings

D, xrefs: 003B39D3

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 86c6519278b76755971ae555612e90073911d0a319e9b408160e49cdbebc62af
Instruction ID: 5197a8bbb7a132c828fc5d02be69d5db4293b596f266b6405be247f19048f178
Opcode Fuzzy Hash: 86c6519278b76755971ae555612e90073911d0a319e9b408160e49cdbebc62af
Instruction Fuzzy Hash: D841E1719022149FD70ACF58FD92BA937BDFB54706F10801BE606CB6A4D7B4A944CB85

Function 003AC250 Relevance: 6.1, APIs: 4, Instructions: 148
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003AC312
Process32First.KERNEL32(00000000,?), ref: 003AC35A
Process32Next.KERNEL32(00000000,00000128), ref: 003AC478

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 4676be3552355bf8e216d64821e044aa2e2adcce3fca65beb7cfb8ee65cfe8f5
Instruction ID: 307ddc69f1022a3485be856ec7b7534455f9fb311595d9b76e086b8be826f6bd
Opcode Fuzzy Hash: 4676be3552355bf8e216d64821e044aa2e2adcce3fca65beb7cfb8ee65cfe8f5
Instruction Fuzzy Hash: 765121B5912211CBD717DF20FD65AA937BEFB88305F00841BE802DA6A4EB74A940CF95

Function 003AC520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,N<,?,003C0A4E,00000000), ref: 003AC549
RtlFreeHeap.NTDLL(00000000,?,003C0A4E,00000000), ref: 003AC550

Strings

N<, xrefs: 003AC543, 003AC546

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: N<
API String ID: 3859560861-1355148757
Opcode ID: 6cb1742fb4e5e7c84d4dc55a54aa71996844e7b3418504d13f6db457c2e47722
Instruction ID: 25df9fc8ba6f998babf6eb86671aaf7bed3f09967bb845c6c95045c928b984db
Opcode Fuzzy Hash: 6cb1742fb4e5e7c84d4dc55a54aa71996844e7b3418504d13f6db457c2e47722
Instruction Fuzzy Hash: 13F065719192049FD7069F59FC9AA6537FDEB05704F00440BF905CB620E774F880CB55

Function 003BC640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(003A2591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,003A2591), ref: 003BC701
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 003BC737
FreeSid.ADVAPI32(?), ref: 003BC798

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0b284e741e08ed5fb75e01c41a7c5ed5e14badd4537ece0bc9225610ca4d5825
Instruction ID: 14e72a4c66fb4c25697fa36b27687efe4aad5320172330429ec093704c85d82a
Opcode Fuzzy Hash: 0b284e741e08ed5fb75e01c41a7c5ed5e14badd4537ece0bc9225610ca4d5825
Instruction Fuzzy Hash: 8A419B39A15248DFC70ACB68FD96AAA7BBDF758304F14815AE502C7661EB30BA44CF01

Function 003A0AE8 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003AC250: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003AC312
Part of subcall function 003AC250: Process32First.KERNEL32(00000000,?), ref: 003AC35A

Sleep.KERNEL32(00000D05), ref: 003A0BD2
Sleep.KERNELBASE(000003E8), ref: 003A0CDF
Sleep.KERNELBASE(000007D0), ref: 003A0DD1
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 003A0EA8
SetFileAttributesA.KERNEL32(?,00000080), ref: 003A0ECC

Strings

x7;C, xrefs: 003A0C47

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Sleep$File$AttributesCreateFirstModuleNameProcess32SnapshotToolhelp32
String ID: x7;C
API String ID: 1973522251-2106350440
Opcode ID: 086dae7d4ec072082427baee9c3802d711bab1f38b1d6de0e8c7ef274cb1f889
Instruction ID: 63e2d1866c6d2050d6dcff23cc8e786a0d9a205ecc82160a1d23ded245b6e5f6
Opcode Fuzzy Hash: 086dae7d4ec072082427baee9c3802d711bab1f38b1d6de0e8c7ef274cb1f889
Instruction Fuzzy Hash: 9231D136A116018BC75FCF28FD92B6E73A9F745320F05822BD806DB664E734A944CF85

Function 003AC389 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 003AC478
CloseHandle.KERNELBASE(00000000), ref: 003AC4D5

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: 38a41e7517e150264a9e18c384fb98d0761b9322246da0287a6576dc486727b5
Instruction ID: ad236f4b4bd6f2abae26aa2cd7f2e43a6890da02852c411d8f45e611b6265887
Opcode Fuzzy Hash: 38a41e7517e150264a9e18c384fb98d0761b9322246da0287a6576dc486727b5
Instruction Fuzzy Hash: 733148B9912204CFD72BDF20FD56AEA73BDFB84304F00945BE5059A660E7349A44CF54

Function 003A6F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,003A9195,021A1850,?,?,?,?,?,003B6DD6), ref: 003A6F59
RtlAllocateHeap.NTDLL(00000000,?,003A9195,021A1850,?,?,?,?,?,003B6DD6), ref: 003A6F60

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: aa4c593522844d3a2499a10d546dc53ed3270bfe262df01ccb5f1eaaa13d9d84
Instruction ID: 40e2db4158ff4b1a6ace1b399bfe4a22640430fd27569b3d03f83e0a7a906d19
Opcode Fuzzy Hash: aa4c593522844d3a2499a10d546dc53ed3270bfe262df01ccb5f1eaaa13d9d84
Instruction Fuzzy Hash: 15F08C315157008BCB0ADB65FD9AF2677BDEB65701F08401AF906CB660EAB6A5008B98

Function 003A2290 Relevance: 3.0, APIs: 2, Instructions: 21
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 003A22A2
CharLowerBuffA.USER32(?,00000000), ref: 003A22BE

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: c297cf3ea38522fbef856cbc59181c31a4bddb219771f47add81174c79253efd
Instruction ID: 2e8a2a5d34cfc35c5f77f2f2919a74ddcef0a778abc09442fc683a67ec82d2c2
Opcode Fuzzy Hash: c297cf3ea38522fbef856cbc59181c31a4bddb219771f47add81174c79253efd
Instruction Fuzzy Hash: 2DE04F721165249B83029F98FC498F53BFCFB15702B445057F949C2570FB6469418795

Function 003B2780 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 003B27B0

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: eb2d59a391abedbcd7a2323183a920d922a436f296a46ac5972e9507758f7129
Instruction ID: ea76811e9f7edabae5cee5c285b6e86f38bb082c239769690f6d244a149acbe4
Opcode Fuzzy Hash: eb2d59a391abedbcd7a2323183a920d922a436f296a46ac5972e9507758f7129
Instruction Fuzzy Hash: C7D052700203088ACB02BF20FC8692ABBADFA40702F00181AA8008F220E778F68287D1

Non-executed Functions

Function 003BEEB0 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 444
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 003BF00B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 003BF086
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 003BF0A6
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 003BF147
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 003BF2C2
CloseHandle.KERNEL32(00000000), ref: 003BF353
CloseHandle.KERNEL32(?), ref: 003BF367
CloseHandle.KERNEL32(00000000), ref: 003BF37B
CloseHandle.KERNEL32(00000000), ref: 003BF3A9
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003BF446
CloseHandle.KERNEL32(00000000), ref: 003BF4D4
CloseHandle.KERNEL32(00000000), ref: 003BF4E8
WaitForSingleObject.KERNEL32(?,00002710), ref: 003BF56B
CloseHandle.KERNEL32(?), ref: 003BF586
CloseHandle.KERNEL32(?), ref: 003BF5A7

Strings

^K9, xrefs: 003BF522, 003BF5F1, 003BF541
;8\w, xrefs: 003BF4FA
D, xrefs: 003BF1D6
<,]8, xrefs: 003BF2D1

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: ;8\w$<,]8$D$^K9
API String ID: 1130065513-3753494129
Opcode ID: 3245e345108503da3f96617ea115d2b0c87226c76ec9342517d476cb2e7012cd
Instruction ID: e006673071929f45f4206e8bdbf3efdfe1aadfdde42500691ce2e5f5e7468a22
Opcode Fuzzy Hash: 3245e345108503da3f96617ea115d2b0c87226c76ec9342517d476cb2e7012cd
Instruction Fuzzy Hash: 7112CE75A12205DFC70ACF68FD86AAA77BDFB58315F10852BE906CB664E734A940CF40

Function 003BB7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003BB8EC
Process32First.KERNEL32(00000000,00000128), ref: 003BBA96

Strings

9y8, xrefs: 003BBC13

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 9y8
API String ID: 2353314856-3592070472
Opcode ID: 366f144fc00c12726253e962318462db14020bdcea221b913c0a3a2e9ef3032e
Instruction ID: cf314adf43eb2b0a6bfa87b66a788672fb9731e6b2a028678673c92a77656343
Opcode Fuzzy Hash: 366f144fc00c12726253e962318462db14020bdcea221b913c0a3a2e9ef3032e
Instruction Fuzzy Hash: 8EF12271A122108BC71BDF29FD92AAA77FEFB94314F00811BE506CB674EB74A941CB51

Function 003A8200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 003A826F
CreateServiceA.ADVAPI32(00000000,0140E688,0140E688,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 003A82CA
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 003A8301
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 003A8323
CloseServiceHandle.ADVAPI32(00000000), ref: 003A833A
OpenServiceA.ADVAPI32(00000000,0140E688,00000010), ref: 003A838B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 003A83C2
CloseServiceHandle.ADVAPI32(00000000), ref: 003A8408
CloseServiceHandle.ADVAPI32(00000000), ref: 003A8481

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: e6f40dbca50773fcad04667b7a52638409d90b666f072663dffc6ad6bf7a2c32
Instruction ID: 406a943b3af310d448c2f5259023bde8b149b8c5a2776cd1cddfb02b290c1dcc
Opcode Fuzzy Hash: e6f40dbca50773fcad04667b7a52638409d90b666f072663dffc6ad6bf7a2c32
Instruction Fuzzy Hash: C761AB756126119BD30BCB69FC8AF7537BDF755701F049517E801CA2B0EB74A981CB41

Function 003960A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003940B0: lstrlen.KERNEL32(?,?,00391038,?), ref: 003940DD

Sleep.KERNEL32(000003E8), ref: 00396189
FindFirstFileA.KERNEL32(?,?), ref: 00396274
DeleteFileA.KERNEL32(?), ref: 0039632E
FindNextFileA.KERNEL32(?,?), ref: 00396384
FindClose.KERNEL32(?), ref: 003963AA

Strings

ysh, xrefs: 00396159, 00396169

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
String ID: ysh
API String ID: 3282225923-1904326249
Opcode ID: b50b8e8b3a4e6d6aa5ca65b08a4a1589758729a40e56c1cb159b906d31708352
Instruction ID: 32b0f9881224a7da2939aee84174e31abfc50d16f18efa88115b8f45e45fdd54
Opcode Fuzzy Hash: b50b8e8b3a4e6d6aa5ca65b08a4a1589758729a40e56c1cb159b906d31708352
Instruction Fuzzy Hash: 3D81E2769022148FC71BDF65FD82AA977BEFB94300F04415BE505CB2B0EB70AA01CB51

Function 003BA050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 003BA124
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 003BA164
GetLastError.KERNEL32(?,00000000,00000001), ref: 003BA176
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 003BA24F

Part of subcall function 0039BBA0: wvsprintfA.USER32(00000000,?,003B09D1), ref: 0039BBEB

CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 003BA44C

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
String ID:
API String ID: 475583450-0
Opcode ID: 89c6f3493bc25834806a05c7faa19ad8c766a481464d0ea832f7987b3ba3c794
Instruction ID: 8f73760897d6b31400434043780a1805c53e819cfbcdd4bf35552198eedd5c68
Opcode Fuzzy Hash: 89c6f3493bc25834806a05c7faa19ad8c766a481464d0ea832f7987b3ba3c794
Instruction Fuzzy Hash: D3C1D0729126109FD717CF69FD82AAA77FEFB94304F01812BE505DB2A0E770A941CB52

Function 0039B531 Relevance: 12.2, APIs: 8, Instructions: 187registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(0140E688,Function_00014290,?,?,00000072), ref: 0039B669
SetServiceStatus.ADVAPI32(00000000,003D67EC,?,?,00000072), ref: 0039B70D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 0039B721
SetServiceStatus.ADVAPI32(00000000,003D67EC,?,?,00000072), ref: 0039B771
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 0039B7D0
SetServiceStatus.ADVAPI32(00000000,003D67EC,00000072), ref: 0039B82A
CloseHandle.KERNEL32(00000000), ref: 0039B841
SetServiceStatus.ADVAPI32(00000000,003D67EC), ref: 0039B8AA

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: a8c12865d81461ac6114a65ce4b31afdea70fac15e0ad89ae3895e01c3153d20
Instruction ID: be2175b42d643595ec235ce76bd33f710facc561036626a28af738ab8844240e
Opcode Fuzzy Hash: a8c12865d81461ac6114a65ce4b31afdea70fac15e0ad89ae3895e01c3153d20
Instruction Fuzzy Hash: 7281887A612216CFC30BDF29FE969667BBDFB98705F00952BE421CA274E774A441CB40

Function 003BA760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 003BA7F1
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 003BA849
CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 003BA885
GetTickCount.KERNEL32 ref: 003BA8B8
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003BAA75
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 003BAAC8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003BAAE2

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 0f2c57805e631cfc77654fca3815bb29a98a349015b459a89dd2c2d5222c9033
Instruction ID: 8878a3d54b4b95703dc9377b3454a8dfe6af1a6d013789763f2e4db12c50e6f5
Opcode Fuzzy Hash: 0f2c57805e631cfc77654fca3815bb29a98a349015b459a89dd2c2d5222c9033
Instruction Fuzzy Hash: C2A1F1756026109BD307DF28FD92FBA33BDEB88715F04401BE905CB2A4EB74A941CB96

Function 003B1950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,003B8262,Function_00001300,00000001,?), ref: 003B199B
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 003B19C2
CloseHandle.KERNEL32(00000000,?,003B8262,Function_00001300,00000001,?), ref: 003B19DD
WaitForSingleObject.KERNEL32(?,000000FF,?,003B8262,Function_00001300,00000001,?), ref: 003B19F2
CloseHandle.KERNEL32(?,?,000000FF,?,003B8262,Function_00001300,00000001,?), ref: 003B1A19

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 743612d8d2df58ab84c345b729792c951069f6547264a9621ac5cff09411f905
Instruction ID: eae4e71035bd5ee5d8dabb63e842e12e1222c405dee90000bc5b5dd8fcef574e
Opcode Fuzzy Hash: 743612d8d2df58ab84c345b729792c951069f6547264a9621ac5cff09411f905
Instruction Fuzzy Hash: 6D21CA762023049FC316DF60FC9AF667BA8FB48710F14811AFA56CA6B4D7B0E8408B95

Function 003A7110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 003A7221
RegSetValueExA.ADVAPI32(?,01406360,00000000,00000001,?,00000000), ref: 003A72E0
RegCloseKey.ADVAPI32(?), ref: 003A7300

Strings

IR, xrefs: 003A7313

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CloseOpenValue
String ID: IR
API String ID: 779948276-3379982419
Opcode ID: 89c31f60e9f7d8d173038381e1e69a47f8748e62215a07d2992848c3c36e8c76
Instruction ID: 8e45f48a7ee2a9719d9ffce76a9670aac29ba642577ade154ba25ebb38e52419
Opcode Fuzzy Hash: 89c31f60e9f7d8d173038381e1e69a47f8748e62215a07d2992848c3c36e8c76
Instruction Fuzzy Hash: C941213A6122109BC707DF29FC86A7A37FDEB95311F04401BE802CB260E778A941CB96

Function 003BE880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003BE966
ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 003BE9D7
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 003BEADD

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 92bb2e1515e0bdc9a329924402fadb11b64e767fd90a9ed404cdcff8b9002ccc
Instruction ID: 275a4b3313098056d458e6b9acf5da6806ae5fd5178e650198cfce835e00dfd0
Opcode Fuzzy Hash: 92bb2e1515e0bdc9a329924402fadb11b64e767fd90a9ed404cdcff8b9002ccc
Instruction Fuzzy Hash: 5D81AC76A112089BD70BDF68FC92EAA33BDF784704F00551AE906CB2A1DB74B941CF95

Function 003BFAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,003C0A87,00000000,?,?,?,?,?,00000001), ref: 003BFAF7
RtlReAllocateHeap.NTDLL(00000000,?,003C0A87,00000000), ref: 003BFAFE
GetProcessHeap.KERNEL32(00000000,?,?,003C0A87,00000000,?,?,?,?,?,00000001), ref: 003BFB19
HeapAlloc.KERNEL32(00000000,?,003C0A87,00000000,?,?,?,?,?,00000001), ref: 003BFB20

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: a2a70097fead306b2c338a3bee17dc4b2db60e17863c046a12956d5445852267
Instruction ID: 1de094b3442e72e4c10620afcc7794740d2b7cd1aab37765afad76cb24b56d03
Opcode Fuzzy Hash: a2a70097fead306b2c338a3bee17dc4b2db60e17863c046a12956d5445852267
Instruction Fuzzy Hash: D9F03070601204EFDB459FB0FC0AEAA3B6DFF88711F104006F919C65A0D731A940CB61

Function 00393DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00393E43
__aulldiv.LIBCMT ref: 00393E74

Strings

L9<8, xrefs: 00393F4F

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID: L9<8
API String ID: 2838486344-2160928743
Opcode ID: bdbd7aced5162198643f05dadfb16f60634998ecbfafa2fb120b503d26038f15
Instruction ID: a9e55c32cb294ed98940bf69ab78ddf3d2ff662ebecb5c9e57642e0044d86b3b
Opcode Fuzzy Hash: bdbd7aced5162198643f05dadfb16f60634998ecbfafa2fb120b503d26038f15
Instruction Fuzzy Hash: A141EEB6A126108FCB0BCF18FC9192977BEFB94758F11811BE403CB6A0D334A940CB81

Function 003B99B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 003B9A16
GetTickCount.KERNEL32 ref: 003B9B6B

Strings

@(l$, xrefs: 003B9ABD

Memory Dump Source

Source File: 00000004.00000002.2162511418.0000000000391000.00000020.00000001.01000000.00000007.sdmp, Offset: 00390000, based on PE: true

Associated: 00000004.00000002.2162365136.0000000000390000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162689205.00000000003C2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162711134.00000000003C3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003C6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162732116.00000000003DE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2162797315.00000000003DF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_390000_tkjnbticppc.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @(l$
API String ID: 2164215191-2034585603
Opcode ID: 8bf9db9e2aab779982b1c16f03b4fd7f154e2168370d8c5fa45359b34aae763d
Instruction ID: bc83a60f59261f49e679958eae3c9ed56bb4758e2416e66b79b11339d271a61d
Opcode Fuzzy Hash: 8bf9db9e2aab779982b1c16f03b4fd7f154e2168370d8c5fa45359b34aae763d
Instruction Fuzzy Hash: 8641AC72A122108FC34BDF29FCC29A677ADF7A4715F04412BD846CB670EB78A940CB60

Analysis Process: qbpabupgx.exePID: 7992, Parent PID: 7892COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1462
Total number of Limit Nodes:	5

Executed Functions

Function 00502490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0053EAC8), ref: 00502572
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 005026EF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00502843
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0050289F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0050293F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005029E1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00502CAC
CreateDirectoryA.KERNEL32(?,00000000), ref: 00502D6E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00502EB0
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0050307B
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 005031FA
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0050344D

Strings

Wq0O, xrefs: 00502FE3
C:\daxjjwrfm\, xrefs: 00502960, 00502CC9, 00503032, 0050321C
\, xrefs: 00502F41
C:\Users\user, xrefs: 00502B0A, 00502BCC

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Users\user$C:\daxjjwrfm\$Wq0O$\
API String ID: 1691758827-3631644381
Opcode ID: a82f5e654683990dd9cdb7a83d21239c342d40a7407e4efcf0ce788b6e7e9e96
Instruction ID: 191e156553f982054ec22c17c3643e758e7d0e5aaac4378aa48f09f0456594ce
Opcode Fuzzy Hash: a82f5e654683990dd9cdb7a83d21239c342d40a7407e4efcf0ce788b6e7e9e96
Instruction Fuzzy Hash: E68215B5900205CBD728DF24FC96ABA3BB5FBB5310F00812AE501C73A1E774998EEB55

Function 005000C8 Relevance: 21.6, APIs: 7, Strings: 5, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 005003F9

Strings

x7;C, xrefs: 00500C47
h5, xrefs: 005003BB
jjj, xrefs: 00500421
hC<, xrefs: 00500968
C:\Users\user, xrefs: 005003F3

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: EnvironmentVariable
String ID: C:\Users\user$hC<$h5$jjj$x7;C
API String ID: 1431749950-1342009712
Opcode ID: ff33821ffa3a61216c04c8829490cc0c9ea42eaf93bb699cf2afe0a054d2b782
Instruction ID: ef3ec30f2ec3ce0419c1379b277aefb9cd9b4ac765bf1d2f8d542ad47081c240
Opcode Fuzzy Hash: ff33821ffa3a61216c04c8829490cc0c9ea42eaf93bb699cf2afe0a054d2b782
Instruction Fuzzy Hash: C8420075A01300DBD728DF64EC96A7A7BF5FBB5300F04812AE501DB3A1E778994AEB50

Function 00513060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0051327A
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 0051344B
CloseHandle.KERNELBASE(?), ref: 005134DA

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: f4fd2299ab06ade427fcb3b9f5327491f2270d8289b3c645380038f6605d4b15
Instruction ID: 8e27b6526896857904cd0ff1c324a724d8a5ea235daca7b14da74286495bc27a
Opcode Fuzzy Hash: f4fd2299ab06ade427fcb3b9f5327491f2270d8289b3c645380038f6605d4b15
Instruction Fuzzy Hash: 52C11476A10614DBD314CF68FC916AA37F5FBB9321B10852AE801C7374E774998EEB84

Function 0050C520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,NR,?,00520A4E,00000000), ref: 0050C549
RtlFreeHeap.NTDLL(00000000,?,00520A4E,00000000), ref: 0050C550

Strings

NR, xrefs: 0050C543, 0050C546

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: NR
API String ID: 3859560861-4207911306
Opcode ID: 1383c515e6d3cca8a1fa63529ae975c54e9b30d4854b37b33bf0016898108c28
Instruction ID: b34a37147e411ef864164982d009ba6b352d1cb11e4362b7967fbd85c8cdd530
Opcode Fuzzy Hash: 1383c515e6d3cca8a1fa63529ae975c54e9b30d4854b37b33bf0016898108c28
Instruction Fuzzy Hash: 68F065759083049FDA149F58EC9A6657BF4FB59704F004509E905C7770D770E888EB59

Function 0051C640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00502591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00502591), ref: 0051C701
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0051C737
FreeSid.ADVAPI32(?), ref: 0051C798

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8e61836a5dc05a45d102f951ec7aadb2114f11d33f98e1e989b61967afa8c4f8
Instruction ID: 410d4a1312071602542d86abd6b4fca513e3a0de0a5d0e3c653abd400d0f4e1c
Opcode Fuzzy Hash: 8e61836a5dc05a45d102f951ec7aadb2114f11d33f98e1e989b61967afa8c4f8
Instruction Fuzzy Hash: 6741D075A40244DFD728CFA8ED969A97BF5FF7A300B108159E502C7361E734A98AEF01

Function 00506F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00509195,021A1850,?,?,?,?,?,00516DD6), ref: 00506F59
RtlAllocateHeap.NTDLL(00000000,?,00509195,021A1850,?,?,?,?,?,00516DD6), ref: 00506F60

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: eb7a7bac68dc25a35947aa9073998a099607100a44d80c7521c787be83f224e9
Instruction ID: 002797277f65f3d58164fb421510dbd01186f919f70c284151ec41845791274a
Opcode Fuzzy Hash: eb7a7bac68dc25a35947aa9073998a099607100a44d80c7521c787be83f224e9
Instruction Fuzzy Hash: 00F0EC35500B018BCF18EB64FC99A243BB9FF66601B044008E502876A0EAB2A40897A8

Function 00502290 Relevance: 3.0, APIs: 2, Instructions: 21
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 005022A2
CharLowerBuffA.USER32(?,00000000), ref: 005022BE

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: 99e74a921bb08b9b09ddd480d1c6d7f789227808c8229b60e0fb381227d527bf
Instruction ID: 9a8a762a049453b3dfdc03cdcfd0d278da94c66747c9c71cf04bb46b9fbf4a43
Opcode Fuzzy Hash: 99e74a921bb08b9b09ddd480d1c6d7f789227808c8229b60e0fb381227d527bf
Instruction Fuzzy Hash: FBE0DF72100A289B83149F98FC1A0F9B7FCFF393023044056F54AC23B0EB34194AA3A0

Function 004F72E0 Relevance: 1.7, APIs: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 004F7452

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d0671f70c08ecd58e0f7e7af68fb6d34beb39cd794692527fde21b87f844da9
Instruction ID: 2ecf39cb398a1d4e12b3fabf145856cfd9bfd62203ab4ac7993447f4295bc689
Opcode Fuzzy Hash: 6d0671f70c08ecd58e0f7e7af68fb6d34beb39cd794692527fde21b87f844da9
Instruction Fuzzy Hash: 41510676A012149BD328DB28FC936B637B5FBB5711F10802AE501C77B5E738988AEB54

Function 00512780 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 005127B0

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 550b5efa4e4e4fb8e0260ce40034c49c57f7b79ac2a20eeb3eb9ef6656f8130e
Instruction ID: 58397e2eb2d5afd075fcce737c20783d90b1533aefa613a37cd195387d476347
Opcode Fuzzy Hash: 550b5efa4e4e4fb8e0260ce40034c49c57f7b79ac2a20eeb3eb9ef6656f8130e
Instruction Fuzzy Hash: 10D05E745203088AC710AF20FC8742637EDFA607017001419A4008F3A0F77CF686A7D5

Non-executed Functions

Function 0051EEB0 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 444
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 0051F00B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0051F086
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 0051F0A6
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0051F147
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0051F2C2
CloseHandle.KERNEL32(00000000), ref: 0051F353
CloseHandle.KERNEL32(?), ref: 0051F367
CloseHandle.KERNEL32(00000000), ref: 0051F37B
CloseHandle.KERNEL32(00000000), ref: 0051F3A9
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0051F446
CloseHandle.KERNEL32(00000000), ref: 0051F4D4
CloseHandle.KERNEL32(00000000), ref: 0051F4E8
WaitForSingleObject.KERNEL32(?,00002710), ref: 0051F56B
CloseHandle.KERNEL32(?), ref: 0051F586
CloseHandle.KERNEL32(?), ref: 0051F5A7

Strings

;8\w, xrefs: 0051F4FA
D, xrefs: 0051F1D6
^KO, xrefs: 0051F522, 0051F5F1, 0051F541
<,]8, xrefs: 0051F2D1

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: ;8\w$<,]8$D$^KO
API String ID: 1130065513-1725895288
Opcode ID: d20b1d3c7b00d9632f5a24d01d7c176b4618b91d5a80a787e7baf0a8ad2b4a77
Instruction ID: 1ffbec5ba7fb7b15108d4b48eb33f1e62d76f55af6b41bb3e4e9af5665493129
Opcode Fuzzy Hash: d20b1d3c7b00d9632f5a24d01d7c176b4618b91d5a80a787e7baf0a8ad2b4a77
Instruction Fuzzy Hash: 6512F375A00205DFD718CF64ED96AAA3BB5FBB8710B10852EE402C7374E774994AEF50

Function 0051B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 0051B8EC
Process32First.KERNEL32(00000000,00000128), ref: 0051BA96

Strings

9y8, xrefs: 0051BC13

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 9y8
API String ID: 2353314856-3592070472
Opcode ID: 1d14b121dead8421cabc961c111982f35ccc40a249889a8d62045c430442cc1f
Instruction ID: 331ebdfffea3613c510b6635d6a8b2f16c3dd916333cf525cb04807770717262
Opcode Fuzzy Hash: 1d14b121dead8421cabc961c111982f35ccc40a249889a8d62045c430442cc1f
Instruction Fuzzy Hash: 23F106756002058BE728DF29ED926B93BF5FBB5310B00811EE406C7774E774998EEB91

Function 00508200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0050826F
CreateServiceA.ADVAPI32(00000000,00C847B0,00C847B0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005082CA
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00508301
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00508323
CloseServiceHandle.ADVAPI32(00000000), ref: 0050833A
OpenServiceA.ADVAPI32(00000000,00C847B0,00000010), ref: 0050838B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 005083C2
CloseServiceHandle.ADVAPI32(00000000), ref: 00508408
CloseServiceHandle.ADVAPI32(00000000), ref: 00508481

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: f5533e8c8e4b26f84d69daf8542cbf29f10eb632ead9a93f8852e522435a9acf
Instruction ID: 12b7849ff8c76961fb44dd2c93466ea639a407ccaa42a7d3edd33e8dcccc5e20
Opcode Fuzzy Hash: f5533e8c8e4b26f84d69daf8542cbf29f10eb632ead9a93f8852e522435a9acf
Instruction Fuzzy Hash: AA61DD726056019BD328CB68FC96B793BF4FBB5701F04951AE841C63B0EB70988EEB51

Function 004F60A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004F40B0: lstrlen.KERNEL32(?,?,004F1038,?), ref: 004F40DD

Sleep.KERNEL32(000003E8), ref: 004F6189
FindFirstFileA.KERNEL32(?,?), ref: 004F6274
DeleteFileA.KERNEL32(?), ref: 004F632E
FindNextFileA.KERNEL32(?,?), ref: 004F6384
FindClose.KERNEL32(?), ref: 004F63AA

Strings

ysh, xrefs: 004F6159, 004F6169

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
String ID: ysh
API String ID: 3282225923-1904326249
Opcode ID: 14e1f66f7ff0cdb35550fc8c837392852416d3617413512b543f6cfa62a1dcc3
Instruction ID: aad53a61532cc791b1fffa7fc909abe316018e1907298dc2d1f547854891b950
Opcode Fuzzy Hash: 14e1f66f7ff0cdb35550fc8c837392852416d3617413512b543f6cfa62a1dcc3
Instruction Fuzzy Hash: 69812375900208DFD728DF64EC96AAA77B5FBB5300F04815AE505873B0FB348A4AEF95

Function 0051A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 0051A124
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 0051A164
GetLastError.KERNEL32(?,00000000,00000001), ref: 0051A176
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 0051A24F

Part of subcall function 004FBBA0: wvsprintfA.USER32(00000000,?,005109D1), ref: 004FBBEB

CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 0051A44C

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
String ID:
API String ID: 475583450-0
Opcode ID: d6e3658e2dcfe9f590da08d5e0e71b73b64542f2eae86e10d5ed48f001530b42
Instruction ID: e3482ff0f7fdc665b61ffa7633ac0fa46f6be55ee62fdac0fed17894ef3a2b6b
Opcode Fuzzy Hash: d6e3658e2dcfe9f590da08d5e0e71b73b64542f2eae86e10d5ed48f001530b42
Instruction Fuzzy Hash: 13C11776901304DBE724CF64FD8666A7BF5FBB9300F00812AE505DB3A0E774994AEB52

Function 004FB150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 004FB1D7
GetFileTime.KERNEL32(00000000,?,?,?), ref: 004FB256
CloseHandle.KERNEL32(00000000), ref: 004FB26B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004FB2E7
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 004FB31A
CloseHandle.KERNEL32(00000000), ref: 004FB334

Strings

td9k, xrefs: 004FB23D

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: td9k
API String ID: 3236713533-1579400769
Opcode ID: 05dbbae8837fb10b80407aced45ab5da4af33681cb8e5d8d8033e3b2649e0906
Instruction ID: 6525bd4f39822752dea994a0a1b40a29e9095047281f0073eaf5cc0997b19727
Opcode Fuzzy Hash: 05dbbae8837fb10b80407aced45ab5da4af33681cb8e5d8d8033e3b2649e0906
Instruction Fuzzy Hash: 54510575A012059BC324CF68FD81A6AB7B4FFA5314F10821BE805CB3A0E3349C4AEF95

Function 004FB531 Relevance: 12.2, APIs: 8, Instructions: 190registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00C847B0,Function_00014290,E4E0A1C8,?,?,00000005,00000072), ref: 004FB669
SetServiceStatus.ADVAPI32(00000000,005367EC,?,?,00000005,00000072), ref: 004FB70D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000005,00000072), ref: 004FB721
SetServiceStatus.ADVAPI32(00000000,005367EC,?,?,00000005,00000072), ref: 004FB771
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000005,00000072), ref: 004FB7D0
SetServiceStatus.ADVAPI32(00000000,005367EC,00000072), ref: 004FB82A
CloseHandle.KERNEL32(00000000), ref: 004FB841
SetServiceStatus.ADVAPI32(00000000,005367EC), ref: 004FB8AA

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 677aa3be026c03c0fe0b516d59a632f7594c883b4c78abf6aeb27e3b00c06d4a
Instruction ID: f4f0018728c419f8cfecdbaae4b519a73ce5eda520089d6aa4f3602f14074058
Opcode Fuzzy Hash: 677aa3be026c03c0fe0b516d59a632f7594c883b4c78abf6aeb27e3b00c06d4a
Instruction Fuzzy Hash: C481B6765012029BD318CF25EC969263BE5FBBA705700C51EE4028B3B4E778980EEBA4

Function 0051A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 0051A7F1
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 0051A849
CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 0051A885
GetTickCount.KERNEL32 ref: 0051A8B8
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0051AA75
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 0051AAC8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0051AAE2

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 14e36aa44f3ef626e61a89f06c06bc8f7772bced1015fdf8b83a212a5197a8a9
Instruction ID: 75c2c56b86d268b396b64c91e36d5839ca2243cf9c5de17049196b8af60c8efd
Opcode Fuzzy Hash: 14e36aa44f3ef626e61a89f06c06bc8f7772bced1015fdf8b83a212a5197a8a9
Instruction Fuzzy Hash: CEA10475601200DBE315DF28EC96BBA37B5FBB9711F14401AF901C73A0E774988AEB96

Function 00511E90 Relevance: 10.7, APIs: 7, Instructions: 238processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00511F5E
Process32First.KERNEL32(00000000,00000128), ref: 00511FDC
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005120A2

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 809b3503363178761202d1865aee019efd700db5f7b3517eecafc8c7e0030b9b
Instruction ID: 1aad6de98c880a19a25ce962f451a210d7801b1da97002cdeb704b2e99fe5b70
Opcode Fuzzy Hash: 809b3503363178761202d1865aee019efd700db5f7b3517eecafc8c7e0030b9b
Instruction Fuzzy Hash: 42A1FFB5601205DBE728DF24FD966A93BB5FB79311F00411AD806CA370E3349A8EEF54

Function 00511950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00518262,Function_00001300,00000001,?), ref: 0051199B
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 005119C2
CloseHandle.KERNEL32(00000000,?,00518262,Function_00001300,00000001,?), ref: 005119DD
WaitForSingleObject.KERNEL32(?,000000FF,?,00518262,Function_00001300,00000001,?), ref: 005119F2
CloseHandle.KERNEL32(?,?,000000FF,?,00518262,Function_00001300,00000001,?), ref: 00511A19

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: b76000cc688254885c8657aa1d0d01bab8320dbb6b735524b9715c7adf48c991
Instruction ID: 7d45c67df73eabb6df908d6b6b31eeb90476cb7d10ccffeb449495040903ace8
Opcode Fuzzy Hash: b76000cc688254885c8657aa1d0d01bab8320dbb6b735524b9715c7adf48c991
Instruction Fuzzy Hash: 9621DF31200300AFD328CF60EC9AB263BA4FF69710F10851DF6568B7B4D7B0A849EB95

Function 00507110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00507221
RegSetValueExA.ADVAPI32(?,00C84978,00000000,00000001,?,00000000), ref: 005072E0
RegCloseKey.ADVAPI32(?), ref: 00507300

Strings

IR, xrefs: 00507313

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseOpenValue
String ID: IR
API String ID: 779948276-3379982419
Opcode ID: f4e7e8c2741be83370fec0e2d2a7e82fbe4980c773448d8c5061a9b55188d34e
Instruction ID: a013d1f64df086074499be74a4191ddbb9be7ec844d00d8b99788d391a9ef6a4
Opcode Fuzzy Hash: f4e7e8c2741be83370fec0e2d2a7e82fbe4980c773448d8c5061a9b55188d34e
Instruction Fuzzy Hash: F141687A6012059BD728CF24FC86A7A37F5FBB9311B04441AE802C73B0E778984AFB55

Function 005138B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00513A0F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00513A3E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00513A52

Strings

D, xrefs: 005139D3

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: aecdb84193c2a7d380190bbe05b6701e3230cbba8a6f4f967688f6525b8ed406
Instruction ID: 91cd1be997e62dcbb78daf1141870388b387eed6e60f39a38e173e5454c8e2f8
Opcode Fuzzy Hash: aecdb84193c2a7d380190bbe05b6701e3230cbba8a6f4f967688f6525b8ed406
Instruction Fuzzy Hash: 934114719002049BE718CF58ECA1BA93BB5FF74711F00801AE506DB3A4E3B0998DEB95

Function 0051E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0051E966
ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 0051E9D7
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0051EADD

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 1cdd7d3f1e4609d88c85fd204121320c0e518df7f48d00d0332ccd89b11ec344
Instruction ID: fa7e83b56f4a4fa36de4410162861c7c3626bcbbe2c181944d6fffad08efaf15
Opcode Fuzzy Hash: 1cdd7d3f1e4609d88c85fd204121320c0e518df7f48d00d0332ccd89b11ec344
Instruction Fuzzy Hash: 9F81F3756002049FD724DF68FC96B6A3BB5FBB6300F104519E905C73A1DB74A88AEF94

Function 0050C250 Relevance: 6.1, APIs: 4, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0050C312
Process32First.KERNEL32(00000000,?), ref: 0050C35A
Process32Next.KERNEL32(00000000,00000128), ref: 0050C478

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: d5ed7dee2215075782f8a2de777bb8e155820b39e28944ae4c135b88291bb1c1
Instruction ID: 2344b23ddd607dce317d333a3dab4954136f0e739ba4d9347d3ca6a54a53cca5
Opcode Fuzzy Hash: d5ed7dee2215075782f8a2de777bb8e155820b39e28944ae4c135b88291bb1c1
Instruction Fuzzy Hash: 27512375900211CBD728CF20FD596B93BB5FBB5301F00851AE8069B7A4EB74998DEF91

Function 0051FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00520A87,00000000,?,?,?,?,?,00000001), ref: 0051FAF7
RtlReAllocateHeap.NTDLL(00000000,?,00520A87,00000000), ref: 0051FAFE
GetProcessHeap.KERNEL32(00000000,?,?,00520A87,00000000,?,?,?,?,?,00000001), ref: 0051FB19
HeapAlloc.KERNEL32(00000000,?,00520A87,00000000,?,?,?,?,?,00000001), ref: 0051FB20

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 00c4dca4bba8ebb8b9edae764b1e0e0cab8cba3926ee672e4bd2926ed8cdf50f
Instruction ID: f760afc4641fc5ef64cf9a07f6beb0a5eecad51b3aee5058c13c223fd5023123
Opcode Fuzzy Hash: 00c4dca4bba8ebb8b9edae764b1e0e0cab8cba3926ee672e4bd2926ed8cdf50f
Instruction Fuzzy Hash: 88F03075510208FFDB14DFB0EC0AAAA3B78FFA9711F108018F909876A0D7319945DB61

Function 004F3DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 004F3E43
__aulldiv.LIBCMT ref: 004F3E74

Strings

L9<8, xrefs: 004F3F4F

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID: L9<8
API String ID: 2838486344-2160928743
Opcode ID: 7ca2ffee964cfd3d63db4516fdea25a1fcbee56ddb76b533541d91e642f439a3
Instruction ID: e880ea11b6cde693592ad15802ff48fd31895958dd7946d1347dd8b2fe770b9a
Opcode Fuzzy Hash: 7ca2ffee964cfd3d63db4516fdea25a1fcbee56ddb76b533541d91e642f439a3
Instruction Fuzzy Hash: F541E2B6A106048BC728CF14FD9153977B2FFB6715724811FD50287760D338A94AEB95

Function 005199B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00519A16
GetTickCount.KERNEL32 ref: 00519B6B

Strings

@(l$, xrefs: 00519ABD

Memory Dump Source

Source File: 00000005.00000002.1391123493.00000000004F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000005.00000002.1391109627.00000000004F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391148983.0000000000522000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391162050.0000000000523000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.0000000000526000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391175259.000000000053E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1391218879.000000000053F000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f0000_qbpabupgx.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @(l$
API String ID: 2164215191-2034585603
Opcode ID: 88d80ec83d7eba75d4346ea3436c2d8d62a9bfcf1fa383c5d60c4561acba6b3a
Instruction ID: 0f7eef2a16ec85d8108f1573015f0b9a31415f4efb07e2a19ae3e496122ac64d
Opcode Fuzzy Hash: 88d80ec83d7eba75d4346ea3436c2d8d62a9bfcf1fa383c5d60c4561acba6b3a
Instruction Fuzzy Hash: 9541AC729016108BD358CF28FCD25BA3BB5FBB9721704442AD846C6775EB34A94EFB90

Analysis Process: tkjnbticppc.exePID: 3112, Parent PID: 2804COMMON

Executed Functions

Function 00E800C8 Relevance: 56.1, APIs: 29, Strings: 2, Instructions: 1861sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00E803F9
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00E80427
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00E8046A
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00E80496
GetTickCount.KERNEL32 ref: 00E80587
GetCommandLineA.KERNEL32 ref: 00E8063E
Sleep.KERNELBASE(000003E8), ref: 00E80CDF

Part of subcall function 00E7B150: CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00E7B1D7

Sleep.KERNEL32(00000D05), ref: 00E80BD2

Part of subcall function 00E7B150: GetFileTime.KERNEL32(00000000,?,?,?), ref: 00E7B256
Part of subcall function 00E7B150: CloseHandle.KERNEL32(00000000), ref: 00E7B26B

Sleep.KERNELBASE(000007D0), ref: 00E80DD1
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00E80EA8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00E80ECC
CopyFileA.KERNEL32(?,?,00000000), ref: 00E80EFE
SetFileAttributesA.KERNEL32(?,00000002), ref: 00E810B9
SetFileAttributesA.KERNEL32(?,00000080), ref: 00E810E7
GetCommandLineA.KERNEL32(00000000), ref: 00E8120E
GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 00E8132B

Part of subcall function 00E82290: lstrlen.KERNEL32(?), ref: 00E822A2
Part of subcall function 00E82290: CharLowerBuffA.USER32(?,00000000), ref: 00E822BE

MessageBoxA.USER32(00000000,00000004,00000005,00000000), ref: 00E81663

Part of subcall function 00E772E0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00E77452

CloseHandle.KERNEL32(00000000), ref: 00E81AC5
SetFileAttributesA.KERNEL32(?,00000080), ref: 00E81AE1
CopyFileA.KERNEL32(?,?,00000000), ref: 00E81B07
SetFileAttributesA.KERNEL32(?,00000002), ref: 00E81B43
Sleep.KERNEL32(000003E8), ref: 00E81CAC
WSAStartup.WS2_32(00000202,?), ref: 00E81947

Part of subcall function 00E92780: ExitProcess.KERNEL32 ref: 00E927B0

Sleep.KERNEL32(000007D0), ref: 00E81DFC
SetFileAttributesA.KERNEL32(00EB6680,00000080), ref: 00E81E27
CopyFileA.KERNEL32(?,00EB6680,00000000), ref: 00E81E45
SetFileAttributesA.KERNEL32(00EB6680,00000002), ref: 00E81E7B

Part of subcall function 00E9C080: Sleep.KERNEL32(000003E8), ref: 00E9C1C3

Part of subcall function 00E7BBA0: wvsprintfA.USER32(00000000,?,00E909D1), ref: 00E7BBEB

CreateThread.KERNEL32(00000000,00000000,Function_0002FE10,00000000,00000000,00000000), ref: 00E82194
Sleep.KERNEL32(0000C350), ref: 00E82210

Strings

C:\Windows\system32\config\systemprofile, xrefs: 00E803F3
x7;C, xrefs: 00E80C47

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: File$AttributesSleep$Create$CopyMutex$CloseCommandHandleLineModuleName$BuffCharCountEnvironmentExitLowerMessageProcessStartupThreadTickTimeVariablelstrlenwvsprintf
String ID: C:\Windows\system32\config\systemprofile$x7;C
API String ID: 1500488346-1470472774
Opcode ID: 4573c70abe4abfb1ca2a6d9b1f6e3698634bb9666173a3790109352518a7b711
Instruction ID: 18014f3cb5b7bfc7c45f0f04bd974792b954fa376fbb8955888c56be2eda8e5c
Opcode Fuzzy Hash: 4573c70abe4abfb1ca2a6d9b1f6e3698634bb9666173a3790109352518a7b711
Instruction Fuzzy Hash: 2F031371A00200CFD718EF66ED92A6B77F5FB98310B10822AE50AF7275E774A94DCB51

Function 00E82490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00EBEAC8), ref: 00E82572
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00E826EF
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00E82843
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00E8289F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00E8293F
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E829E1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00E82CAC
CreateDirectoryA.KERNEL32(?,00000000), ref: 00E82D6E
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00E82EB0
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00E8307B
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00E831FA
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00E8344D

Strings

C:\Windows\system32\config\systemprofile, xrefs: 00E82B0A, 00E82BCC
\, xrefs: 00E82F41
Wq0O, xrefs: 00E82FE3
C:\daxjjwrfm\, xrefs: 00E82960, 00E82CC9, 00E83032, 00E8321C

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Windows\system32\config\systemprofile$C:\daxjjwrfm\$Wq0O$\
API String ID: 1691758827-4043548932
Opcode ID: 8296c4e326e5921a53789e688e7fc7e2d32d174f6512b75575435f0956bfaf40
Instruction ID: 1b9bc2782e3ab716e4071a5223359959a2bbc04d9ee61bb979590ba6589ec962
Opcode Fuzzy Hash: 8296c4e326e5921a53789e688e7fc7e2d32d174f6512b75575435f0956bfaf40
Instruction Fuzzy Hash: F48213B1A002018FC718EF36ED926A737F5FB99310B10922AE509F72B5E774A94DCB51

Function 00E93060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00E9327A
WriteFile.KERNELBASE(?,?,00005000,00005000,00000000), ref: 00E9344B
CloseHandle.KERNELBASE(?), ref: 00E934DA

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: bc685eefed50cce930bf8d6a0746c244f025805044ef4a4cda548f2d936d8d3b
Instruction ID: abec2de68154357e015873ee2ace5b66ad142a6fb27f5bf1ea9293cdcc9e9ce0
Opcode Fuzzy Hash: bc685eefed50cce930bf8d6a0746c244f025805044ef4a4cda548f2d936d8d3b
Instruction Fuzzy Hash: 99C10176A11610CFC704CF6AFC9166B33F5F799325B10922AE806FB275E774A989CB40

Function 00E7B150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00E7B1D7
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00E7B256
CloseHandle.KERNEL32(00000000), ref: 00E7B26B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E7B2E7
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00E7B31A
CloseHandle.KERNEL32(00000000), ref: 00E7B334

Strings

td9k, xrefs: 00E7B23D

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: td9k
API String ID: 3236713533-1579400769
Opcode ID: 2baa375811a76d0ddf8e8154b64b24bf2d06a832c39a6a9984eb80496414e149
Instruction ID: 0ee76e09e8ad0b4db04b04274610c4704d8b01718bba8d3cb94a3953e8cfe35d
Opcode Fuzzy Hash: 2baa375811a76d0ddf8e8154b64b24bf2d06a832c39a6a9984eb80496414e149
Instruction Fuzzy Hash: 8651C4756012019FC314DF6AFC816AB77B5FB89314F10835BE409F7264E774A949CB85

Function 00E91E90 Relevance: 10.7, APIs: 7, Instructions: 238
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E91F5E
Process32First.KERNEL32(00000000,00000128), ref: 00E91FDC
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E920A2

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 51ed99e3cc813a6c5cf514f2a3987c4881854eeeeba58de0c1e80e7057bf3ccc
Instruction ID: 0ca633181aaae95c7a3d096898d4ca7e04499566ff6e77a5fbad09438a33c37b
Opcode Fuzzy Hash: 51ed99e3cc813a6c5cf514f2a3987c4881854eeeeba58de0c1e80e7057bf3ccc
Instruction Fuzzy Hash: 37A1D075602211DFCB18DF27ED926AA73B5FB99310B14422ED946FA274E734AA4CCF40

Function 00E938B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000008,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00E93A0F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00E93A3E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00E93A52

Strings

D, xrefs: 00E939D3

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: cfa7c86984af62fb7f69054a06e6a70586aa8ad847d6b4f74809a464f2fb40ea
Instruction ID: eb6b525806eee185948f6e35fcba72181903d76f16406ce5486d95e58a24a2b7
Opcode Fuzzy Hash: cfa7c86984af62fb7f69054a06e6a70586aa8ad847d6b4f74809a464f2fb40ea
Instruction Fuzzy Hash: C241DE719002049FDB08CF6AED91BAA37F5FB58711F10811AE506FB2B8D7B4A94CCB45

Function 00E8C250 Relevance: 6.1, APIs: 4, Instructions: 148
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E8C312
Process32First.KERNEL32(00000000,?), ref: 00E8C35A
Process32Next.KERNEL32(00000000,00000128), ref: 00E8C478

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: 56831b6de978ac23e807321e3530edc133313694f956daa831e1c8f5d5da6585
Instruction ID: 940fd0f53020512555c610ed30df0a5d4f9dd4f9294f20cfc5efa2ec9ddebee0
Opcode Fuzzy Hash: 56831b6de978ac23e807321e3530edc133313694f956daa831e1c8f5d5da6585
Instruction Fuzzy Hash: 2F514271500211CFC714DF22FD956AB37B5FB89304F10822AE40ABA6B4EB74994CCFA1

Function 00E8C520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,N,?,00EA0A4E,00000000), ref: 00E8C549
RtlFreeHeap.NTDLL(00000000,?,00EA0A4E,00000000), ref: 00E8C550

Strings

N, xrefs: 00E8C543, 00E8C546

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: N
API String ID: 3859560861-980360074
Opcode ID: 633ae550340750546db3cda61385b3488f2ae51d6d1c47acf4d28527f142342a
Instruction ID: 6e85a8a66c858f47e5f7cc4d6626bcd3a047f28912acd3e18bce62308438eb27
Opcode Fuzzy Hash: 633ae550340750546db3cda61385b3488f2ae51d6d1c47acf4d28527f142342a
Instruction Fuzzy Hash: 1AF0E5708082049FDA18DF5AEC9652637F4EB49304F000509E50AE7630E770F888CBAA

Function 00E9C640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00E82591,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00E82591), ref: 00E9C701
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E9C737
FreeSid.ADVAPI32(?), ref: 00E9C798

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 33958a134e9d875578bfda3e68d9fbd41a0d52425264ac4c0ec1b24d28dca239
Instruction ID: 79668973d5b26cd3166637dfba730ad5c96f295725312d21165e5b2d1ea287af
Opcode Fuzzy Hash: 33958a134e9d875578bfda3e68d9fbd41a0d52425264ac4c0ec1b24d28dca239
Instruction Fuzzy Hash: BB41BE35A04244DFCB08DBBAED9696A77F5F75D300B14825AE502F7262E734A948CF11

Function 00E80AE8 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8C250: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E8C312
Part of subcall function 00E8C250: Process32First.KERNEL32(00000000,?), ref: 00E8C35A

Sleep.KERNEL32(00000D05), ref: 00E80BD2
Sleep.KERNELBASE(000003E8), ref: 00E80CDF
Sleep.KERNELBASE(000007D0), ref: 00E80DD1
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00E80EA8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00E80ECC

Strings

x7;C, xrefs: 00E80C47

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Sleep$File$AttributesCreateFirstModuleNameProcess32SnapshotToolhelp32
String ID: x7;C
API String ID: 1973522251-2106350440
Opcode ID: f475c76b6513d7511b4bcf564f86875d53ebfbfe411e5d92f13f258e5d03e43a
Instruction ID: 77175afbbe24037715d87dfc277fa07cf88f365eef53eec20ab81dc8261ef61a
Opcode Fuzzy Hash: f475c76b6513d7511b4bcf564f86875d53ebfbfe411e5d92f13f258e5d03e43a
Instruction Fuzzy Hash: 7F31C632A046018FD79CEF2AED9166BB7A1F744314F154229D80EF7661E734584CCF85

Function 00E8C389 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32Next.KERNEL32(00000000,00000128), ref: 00E8C478
CloseHandle.KERNELBASE(00000000), ref: 00E8C4D5

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: 8c0020f35584ecbfd985b3cf070f142ea9242b3812561c12483ed74743734335
Instruction ID: 677e74ad9eb964807c39ba4dcaf76a888bde0d68571f26f49a3397d02a956920
Opcode Fuzzy Hash: 8c0020f35584ecbfd985b3cf070f142ea9242b3812561c12483ed74743734335
Instruction Fuzzy Hash: D3312771900200CFD718EF26ED916EB37B5FB88300F10925ED509B6264E774AA4CCFA0

Function 00E86F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00E89195,021A1850,?,?,?,?,?,00E96DD6), ref: 00E86F59
RtlAllocateHeap.NTDLL(00000000,?,00E89195,021A1850,?,?,?,?,?,00E96DD6), ref: 00E86F60

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 7d5505e71d49b8900ed620c910de726b2b97122071cf470f45bc61a363fab78e
Instruction ID: 560a8a990578b3b33810a8dcf3fb7d3f2c4633b149a605cf40b63ffce349c3d9
Opcode Fuzzy Hash: 7d5505e71d49b8900ed620c910de726b2b97122071cf470f45bc61a363fab78e
Instruction Fuzzy Hash: 42F082316147008FCB08DB66ED99A2637E9AB49601B045518A21AFB960E6B5A4088798

Function 00E82290 Relevance: 3.0, APIs: 2, Instructions: 21
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00E822A2
CharLowerBuffA.USER32(?,00000000), ref: 00E822BE

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: cf54524a8f8a6dc5d4f693a4dc12ce85c186986bd34cddb2e43e9e83fba94abe
Instruction ID: 8cdf568dc519a3c8e4d32c04e08e958e229815377129318ddbbe54316ebb47fd
Opcode Fuzzy Hash: cf54524a8f8a6dc5d4f693a4dc12ce85c186986bd34cddb2e43e9e83fba94abe
Instruction Fuzzy Hash: 8EE0DF321005209F83049FAAFD080F733ECFB093023444256E589F2A70EB282889C790

Function 00E92780 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00E927B0

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 995f902153e840738ed92eeaeb5e5ba6e2c84e4a90968621d218600a32f9394c
Instruction ID: a57da26b1edab3d2daea7a44c3b0d75a95fc2d3783861a2644c1fc9de0e91258
Opcode Fuzzy Hash: 995f902153e840738ed92eeaeb5e5ba6e2c84e4a90968621d218600a32f9394c
Instruction Fuzzy Hash: 6FD05E704203048E8714BF62FC854667BAEFB447007006514A400AB331E374F68587D1

Non-executed Functions

Function 00E9EEB0 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 444
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000,00000001), ref: 00E9F00B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00E9F086
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 00E9F0A6
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00E9F147
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00E9F2C2
CloseHandle.KERNEL32(00000000), ref: 00E9F353
CloseHandle.KERNEL32(?), ref: 00E9F367
CloseHandle.KERNEL32(00000000), ref: 00E9F37B
CloseHandle.KERNEL32(00000000), ref: 00E9F3A9
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E9F446
CloseHandle.KERNEL32(00000000), ref: 00E9F4D4
CloseHandle.KERNEL32(00000000), ref: 00E9F4E8
WaitForSingleObject.KERNEL32(?,00002710), ref: 00E9F56B
CloseHandle.KERNEL32(?), ref: 00E9F586
CloseHandle.KERNEL32(?), ref: 00E9F5A7

Strings

;8\w, xrefs: 00E9F4FA
<,]8, xrefs: 00E9F2D1
^K, xrefs: 00E9F522, 00E9F5F1, 00E9F541
D, xrefs: 00E9F1D6

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: ;8\w$<,]8$D$^K
API String ID: 1130065513-1517541040
Opcode ID: dcf25a2f9fb0e247e845576ac5b9349233124a5b133a237f2fe67d31c412c011
Instruction ID: 12d46e9b96e64bbbc7bc02e2960c4e33485435fafdf089c5cd47ef7357260c33
Opcode Fuzzy Hash: dcf25a2f9fb0e247e845576ac5b9349233124a5b133a237f2fe67d31c412c011
Instruction Fuzzy Hash: C412D475A10215DFCB08CF67ED91AAB37F5FB59310B14822AE902F7274E738A948CB50

Function 00E9B7F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E9B8EC
Process32First.KERNEL32(00000000,00000128), ref: 00E9BA96

Strings

9y8, xrefs: 00E9BC13

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: 9y8
API String ID: 2353314856-3592070472
Opcode ID: 1b8fae0bd8233b677aa53141985f5db5af5b43ab3f1158a048abebfd1e54e464
Instruction ID: 7109b9d37b0b041f0e407b436bba5cf2f6d17e512ccca629f2fd6d4e5b05a4ca
Opcode Fuzzy Hash: 1b8fae0bd8233b677aa53141985f5db5af5b43ab3f1158a048abebfd1e54e464
Instruction Fuzzy Hash: DEF10171A102108FCB28DF2BED9257B37E5FB99310B14822AE406F72B5E774A949CB51

Function 00E88200 Relevance: 13.7, APIs: 9, Instructions: 167serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00E8826F
CreateServiceA.ADVAPI32(00000000,01292F70,01292F70,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00E882CA
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00E88301
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E88323
CloseServiceHandle.ADVAPI32(00000000), ref: 00E8833A
OpenServiceA.ADVAPI32(00000000,01292F70,00000010), ref: 00E8838B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00E883C2
CloseServiceHandle.ADVAPI32(00000000), ref: 00E88408
CloseServiceHandle.ADVAPI32(00000000), ref: 00E88481

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 6cc947a1ef78ef4239f6e792c9279f117fce28f74bb19616055f30e8d810a1dd
Instruction ID: 71c422dc60c37f0f1b83b12e49115e5373fd39e660058dfd90a1c7574a1ef47b
Opcode Fuzzy Hash: 6cc947a1ef78ef4239f6e792c9279f117fce28f74bb19616055f30e8d810a1dd
Instruction Fuzzy Hash: 4B61DC726052119FD304CB2AFD86B7737F4FB49705F14521AE949FA2B0EB74A888CB41

Function 00E760A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E740B0: lstrlen.KERNEL32(?,?,00E71038,?), ref: 00E740DD

Sleep.KERNEL32(000003E8), ref: 00E76189
FindFirstFileA.KERNEL32(?,?), ref: 00E76274
DeleteFileA.KERNEL32(?), ref: 00E7632E
FindNextFileA.KERNEL32(?,?), ref: 00E76384
FindClose.KERNEL32(?), ref: 00E763AA

Strings

ysh, xrefs: 00E76159, 00E76169

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleeplstrlen
String ID: ysh
API String ID: 3282225923-1904326249
Opcode ID: 90dff4cf62307c838e217c6d87c6e151a40b666b6924e5b0423e4f309114e1f3
Instruction ID: 90f11ea9a4bec2002c7c3e47a7b39154e25220db0c296250a041475ac0b5529d
Opcode Fuzzy Hash: 90dff4cf62307c838e217c6d87c6e151a40b666b6924e5b0423e4f309114e1f3
Instruction Fuzzy Hash: 99811371A003148FC718CF66ED92AA777F5FB99310F04825AE505B72B5EB70A90CCB91

Function 00E9A050 Relevance: 7.8, APIs: 5, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,?,00000000,00000001), ref: 00E9A124
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000,?,00000000,00000001), ref: 00E9A164
GetLastError.KERNEL32(?,00000000,00000001), ref: 00E9A176
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000,00000001), ref: 00E9A24F

Part of subcall function 00E7BBA0: wvsprintfA.USER32(00000000,?,00E909D1), ref: 00E7BBEB

CloseServiceHandle.ADVAPI32(00000000,00000001), ref: 00E9A44C

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenServicewvsprintf
String ID:
API String ID: 475583450-0
Opcode ID: eb616a99e0ccf1e1172b401038ab93781d1344e1cecb8e1ac49bb4fbc3ceddaa
Instruction ID: 655de954d26f0e36ec6923ba47ca0afd5361caa7ef5cc8bbef180c8575656292
Opcode Fuzzy Hash: eb616a99e0ccf1e1172b401038ab93781d1344e1cecb8e1ac49bb4fbc3ceddaa
Instruction Fuzzy Hash: 99C1C271A012009FD714CF6AED81A6B77F5FB99300F04922AE505FB3B4E774A949CB92

Function 00E7B531 Relevance: 12.2, APIs: 8, Instructions: 188registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(01292F70,Function_00014290,?,?,00000072), ref: 00E7B669
SetServiceStatus.ADVAPI32(00000000,00EB67EC,?,?,00000072), ref: 00E7B70D
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000072), ref: 00E7B721
SetServiceStatus.ADVAPI32(00000000,00EB67EC,?,?,00000072), ref: 00E7B771
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,00000072), ref: 00E7B7D0
SetServiceStatus.ADVAPI32(00000000,00EB67EC,00000072), ref: 00E7B82A
CloseHandle.KERNEL32(00000000), ref: 00E7B841
SetServiceStatus.ADVAPI32(00000000,00EB67EC), ref: 00E7B8AA

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: e4ead34ed3967d7b294d99194c36235450dee4fc3cd2493ba3d227a42e5fb84e
Instruction ID: 4c86a2096151867f62aece8b52f7bad90965da0092f71ae9013c6ed2865280d1
Opcode Fuzzy Hash: e4ead34ed3967d7b294d99194c36235450dee4fc3cd2493ba3d227a42e5fb84e
Instruction Fuzzy Hash: 3581AA76501221CFC308CF2BFD999673BE5FB99705710962AE456BA374EB78A80DCB40

Function 00E9A760 Relevance: 10.8, APIs: 7, Instructions: 266fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,000000FF), ref: 00E9A7F1
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,000000FF), ref: 00E9A849
CloseHandle.KERNEL32(00000000,?,?,000000FF), ref: 00E9A885
GetTickCount.KERNEL32 ref: 00E9A8B8
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00E9AA75
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000), ref: 00E9AAC8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E9AAE2

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: cdd412c2b08a824ffe3ed4ec93aa4551b71f0033c4e0585b9c41bca24f46ff59
Instruction ID: 50386bb40cc9ab7d7cd9e1312c006a2e5f6c70ce17769af9081e173316da311b
Opcode Fuzzy Hash: cdd412c2b08a824ffe3ed4ec93aa4551b71f0033c4e0585b9c41bca24f46ff59
Instruction Fuzzy Hash: 95A104716012109FD704DF2AED82B7B33E4FB89715F14422AE905F73A1EB74A848CB92

Function 00E91950 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00E98262,Function_00001300,00000001,?), ref: 00E9199B
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00E919C2
CloseHandle.KERNEL32(00000000,?,00E98262,Function_00001300,00000001,?), ref: 00E919DD
WaitForSingleObject.KERNEL32(?,000000FF,?,00E98262,Function_00001300,00000001,?), ref: 00E919F2
CloseHandle.KERNEL32(?,?,000000FF,?,00E98262,Function_00001300,00000001,?), ref: 00E91A19

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 69a4e8e45da24c4271b3b882d1428ee9f43f75835940659de119ee8493e41a89
Instruction ID: fd5eea0c3281563d8b5f2d94bf4b8c8cd287a586935c27e18a1b5cb2c729387c
Opcode Fuzzy Hash: 69a4e8e45da24c4271b3b882d1428ee9f43f75835940659de119ee8493e41a89
Instruction Fuzzy Hash: CF21E1762003009FC314DF62ED95B637BA4FB49710F20861EF646BB6B4D7B4A848CB95

Function 00E87110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00E87221
RegSetValueExA.ADVAPI32(?,01292F30,00000000,00000001,?,00000000), ref: 00E872E0
RegCloseKey.ADVAPI32(?), ref: 00E87300

Strings

IR, xrefs: 00E87313

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CloseOpenValue
String ID: IR
API String ID: 779948276-3379982419
Opcode ID: 5b17d71125d7cfebd56756fbaee0e89b456d79d41bf819f1864120f5715d235b
Instruction ID: 0528177130f49ffda58623952627850e81179a8e8e1d6875d429f14b770e1949
Opcode Fuzzy Hash: 5b17d71125d7cfebd56756fbaee0e89b456d79d41bf819f1864120f5715d235b
Instruction Fuzzy Hash: 724166756112008FC708DF26FC85A7737F4E789311B14422AE849F7771E778A849CB51

Function 00E9E880 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00E9E966
ReadFile.KERNEL32(00000000,?,00005000,00000000,00000000), ref: 00E9E9D7
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00E9EADD

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 7d10f96ceaa725be5b1ce03571d4afdcb928d05c790801bdbc9d7c3ae6bcc4dc
Instruction ID: 900e5d6673da3f815bbc6f689c24c0590f55647728d530184ded0a7730f7fb69
Opcode Fuzzy Hash: 7d10f96ceaa725be5b1ce03571d4afdcb928d05c790801bdbc9d7c3ae6bcc4dc
Instruction Fuzzy Hash: 2A81E075A002049FDB18DF6AEC91A6B33F5F789304F10965AE506B73A1EB74B848CF94

Function 00E9FAD0 Relevance: 6.0, APIs: 4, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00EA0A87,00000000,?,?,?,?,?,00000001), ref: 00E9FAF7
RtlReAllocateHeap.NTDLL(00000000,?,00EA0A87,00000000), ref: 00E9FAFE
GetProcessHeap.KERNEL32(00000000,?,?,00EA0A87,00000000,?,?,?,?,?,00000001), ref: 00E9FB19
HeapAlloc.KERNEL32(00000000,?,00EA0A87,00000000,?,?,?,?,?,00000001), ref: 00E9FB20

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 337bac03a8eb08d46b9edaac9bdf8b0bb55fb7987f916e1d82c8704794e70529
Instruction ID: ea5d9ab5b911c7b3be25fbed1a491b12104c00352ca5fca70960306bf65a4102
Opcode Fuzzy Hash: 337bac03a8eb08d46b9edaac9bdf8b0bb55fb7987f916e1d82c8704794e70529
Instruction Fuzzy Hash: 38F03070601204EFDB149FB6FD49AAB3B6CFF88711F104119F919F66A0E731A948CB61

Function 00E73DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,00000001,00000000,00000001,00000000), ref: 00E73E43
__aulldiv.LIBCMT ref: 00E73E74

Strings

L9<8, xrefs: 00E73F4F

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID: L9<8
API String ID: 2838486344-2160928743
Opcode ID: 6ebf87775ef534df9b45b5992dcf96c4a3cdc021a0f2aeb7414fb3fbe16026dc
Instruction ID: 77b7b2f46a82cd6ec01bcb5d894e53bf9e83c066098c09cbb642cee428302d58
Opcode Fuzzy Hash: 6ebf87775ef534df9b45b5992dcf96c4a3cdc021a0f2aeb7414fb3fbe16026dc
Instruction Fuzzy Hash: B6412376A103108FC758CF2AFCD156A77B2FB8A718720921ED447BB660D334A94DDB80

Function 00E999B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00E99A16
GetTickCount.KERNEL32 ref: 00E99B6B

Strings

@(l$, xrefs: 00E99ABD

Memory Dump Source

Source File: 0000000A.00000002.3130796308.0000000000E71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000A.00000002.3130777116.0000000000E70000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130826301.0000000000EA2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130845524.0000000000EA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EA6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130863619.0000000000EBE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.3130924205.0000000000EBF000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e70000_tkjnbticppc.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @(l$
API String ID: 2164215191-2034585603
Opcode ID: fd22f8da5979e15efc33dfd6428e874b6b130f97654ce241ab66e9c6c646edd3
Instruction ID: 50f0922c974bf8b582b83688d2af093a5d584e3c3fdf1091e6bc909d81ef17b5
Opcode Fuzzy Hash: fd22f8da5979e15efc33dfd6428e874b6b130f97654ce241ab66e9c6c646edd3
Instruction Fuzzy Hash: 6341A072A002108FC744DF2BFCC25A777B1FBA9325314422AD446F6671F778A948CB50

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 66HKNPT1fl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\daxjjwrfm\nozyy3rc2p

C:\daxjjwrfm\ew3dvaplid9hjn8.exe

C:\daxjjwrfm\nozyy3rc2p

C:\daxjjwrfm\qbpabupgx.exe

C:\daxjjwrfm\tkjnbticppc.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
66HKNPT1fl.exe

Function 00022490 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 918
fileCOMMON

Function 000160A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186
filesleepCOMMON

Function 00033060 Relevance: 4.8, APIs: 3, Instructions: 287
fileCOMMON

Function 0003C640 Relevance: 4.6, APIs: 3, Instructions: 120
memoryCOMMON

Function 0002C520 Relevance: 3.0, APIs: 2, Instructions: 24
memoryCOMMON

Function 0002B733 Relevance: .3, Instructions: 255
COMMON

Function 0003A760 Relevance: 10.8, APIs: 7, Instructions: 266
fileCOMMON

Function 000338B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
processCOMMON

Function 00026F00 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Function 00022290 Relevance: 3.0, APIs: 2, Instructions: 21
stringCOMMON

Function 00032780 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre