Edit tour

Windows Analysis Report
YiqjcLlhew.exe

Overview

General Information

Sample name:	YiqjcLlhew.exe renamed because original name is a hash value
Original sample name:	e01a1e921ef924c2e1407fae1f09ec200cdb144973f431e81440e39b1005a9ce.exe
Analysis ID:	1551217
MD5:	f51da33b8f97ec40e1960522549dcca7
SHA1:	001ffe1d668e5131cef1f105bfede3780c123ef8
SHA256:	e01a1e921ef924c2e1407fae1f09ec200cdb144973f431e81440e39b1005a9ce
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to resolve many domain names, but no domain seems valid

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

YiqjcLlhew.exe (PID: 3712 cmdline: "C:\Users\user\Desktop\YiqjcLlhew.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

kfdag3t9jukjqfngi9xbw.exe (PID: 6028 cmdline: "C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

skjlipudplp.exe (PID: 788 cmdline: "C:\vdjmzgowdzhfmld\skjlipudplp.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

svchost.exe (PID: 7036 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

skjlipudplp.exe (PID: 1768 cmdline: C:\vdjmzgowdzhfmld\skjlipudplp.exe MD5: F51DA33B8F97EC40E1960522549DCCA7)

xmjofjnkdlv.exe (PID: 2940 cmdline: owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

skjlipudplp.exe (PID: 3920 cmdline: "c:\vdjmzgowdzhfmld\skjlipudplp.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

xmjofjnkdlv.exe (PID: 2260 cmdline: owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

skjlipudplp.exe (PID: 1580 cmdline: "c:\vdjmzgowdzhfmld\skjlipudplp.exe" MD5: F51DA33B8F97EC40E1960522549DCCA7)

SgrmBroker.exe (PID: 2620 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 4536 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3792 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1008 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 1056 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 3424 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7036, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:05:06.584363+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.7	57908	TCP
2024-11-07T16:05:44.687430+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.7	58082	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:59.173639+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49702	TCP
2024-11-07T16:05:03.942656+0100	2018141	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.7	57893	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:59.173639+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49702	TCP
2024-11-07T16:05:03.942656+0100	2037771	1	A Network Trojan was detected	18.143.155.63	80	192.168.2.7	57893	TCP

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:57.711974+0100	2018316	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.7	62685	UDP

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:57.989454+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.7	54957	UDP
2024-11-07T16:06:18.908489+0100	2811542	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.7	61860	UDP

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:54.762478+0100	2815568	1	A Network Trojan was detected	192.168.2.7	49699	199.59.243.227	80	TCP
2024-11-07T16:06:13.889430+0100	2815568	1	A Network Trojan was detected	192.168.2.7	58142	199.59.243.227	80	TCP

ETPRO MALWARE W32/Bayrob Attempted Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T16:04:54.762478+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.7	49699	199.59.243.227	80	TCP
2024-11-07T16:06:13.889430+0100	2820680	1	Malware Command and Control Activity Detected	192.168.2.7	58142	199.59.243.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YiqjcLlhew.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	ReversingLabs: Detection: 92%
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	ReversingLabs: Detection: 92%
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: YiqjcLlhew.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Joe Sandbox ML: detected
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Joe Sandbox ML: detected
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YiqjcLlhew.exe

Joe Sandbox ML: detected

Source: YiqjcLlhew.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: YiqjcLlhew.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00BF3740
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_002E3740
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01003740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_01003740
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_006B3740
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01003740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_01003740
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_001A3740

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.7:49699 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2820680 - Severity 1 - ETPRO MALWARE W32/Bayrob Attempted Checkin 2 : 192.168.2.7:58142 -> 199.59.243.227:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: heavydivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarypeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavendivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returndivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glasspeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlestream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavystream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarydaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requirebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requiremanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlenothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answeranother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heaveninstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavymanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnnothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavynothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreebusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessarybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ordermanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: necessaryanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerpeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybottle.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavybright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavyinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousdivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlebright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassbrown.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreepeople.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returninside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leaderbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentleexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: requireexplain.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassready.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavennothing.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwarddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heardbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: answerbusiness.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnstream.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: variousinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pleasantanother.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: difficultappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: forwardappear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinstead.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glassdaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: returnbright.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heavenmanner.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: degreeinside.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentledivide.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hearddaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orderanother.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 183

Source: global traffic

DNS traffic detected: number of DNS queries: 183

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 18.143.155.63 18.143.155.63

Source: Network traffic	Suricata IDS: 2018316 - Severity 1 - ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses : 1.1.1.1:53 -> 192.168.2.7:62685
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.7:54957
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.7:49699 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.143.155.63:80 -> 192.168.2.7:57893
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.143.155.63:80 -> 192.168.2.7:57893
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49702
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49702
Source: Network traffic	Suricata IDS: 2815568 - Severity 1 - ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort : 192.168.2.7:58142 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2811542 - Severity 1 - ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) : 1.1.1.1:53 -> 192.168.2.7:61860
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:57908
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.7:58082

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00C06C30 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,closesocket,

1_2_00C06C30

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: variousstream.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: returnbottle.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: gentleanother.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: glassbright.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: pleasantinstead.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: degreedaughter.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: difficultpeople.net

Source: global traffic	DNS traffic detected: DNS query: heavennothing.net
Source: global traffic	DNS traffic detected: DNS query: leaderbottle.net
Source: global traffic	DNS traffic detected: DNS query: heavenbottle.net
Source: global traffic	DNS traffic detected: DNS query: leaderdivide.net
Source: global traffic	DNS traffic detected: DNS query: heavendivide.net
Source: global traffic	DNS traffic detected: DNS query: heavystream.net
Source: global traffic	DNS traffic detected: DNS query: gentlestream.net
Source: global traffic	DNS traffic detected: DNS query: heavynothing.net
Source: global traffic	DNS traffic detected: DNS query: gentlenothing.net
Source: global traffic	DNS traffic detected: DNS query: heavybottle.net
Source: global traffic	DNS traffic detected: DNS query: gentlebottle.net
Source: global traffic	DNS traffic detected: DNS query: heavydivide.net
Source: global traffic	DNS traffic detected: DNS query: gentledivide.net
Source: global traffic	DNS traffic detected: DNS query: variousstream.net
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: returnstream.net
Source: global traffic	DNS traffic detected: DNS query: variousnothing.net
Source: global traffic	DNS traffic detected: DNS query: returnnothing.net
Source: global traffic	DNS traffic detected: DNS query: variousbottle.net
Source: global traffic	DNS traffic detected: DNS query: returnbottle.net
Source: global traffic	DNS traffic detected: DNS query: variousdivide.net
Source: global traffic	DNS traffic detected: DNS query: returndivide.net
Source: global traffic	DNS traffic detected: DNS query: degreemanner.net
Source: global traffic	DNS traffic detected: DNS query: forwardmanner.net
Source: global traffic	DNS traffic detected: DNS query: degreeanother.net
Source: global traffic	DNS traffic detected: DNS query: forwardanother.net
Source: global traffic	DNS traffic detected: DNS query: degreebusiness.net
Source: global traffic	DNS traffic detected: DNS query: forwardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: degreeappear.net
Source: global traffic	DNS traffic detected: DNS query: forwardappear.net
Source: global traffic	DNS traffic detected: DNS query: answermanner.net
Source: global traffic	DNS traffic detected: DNS query: glassmanner.net
Source: global traffic	DNS traffic detected: DNS query: answeranother.net
Source: global traffic	DNS traffic detected: DNS query: glassanother.net
Source: global traffic	DNS traffic detected: DNS query: answerbusiness.net
Source: global traffic	DNS traffic detected: DNS query: glassbusiness.net
Source: global traffic	DNS traffic detected: DNS query: answerappear.net
Source: global traffic	DNS traffic detected: DNS query: glassappear.net
Source: global traffic	DNS traffic detected: DNS query: difficultmanner.net
Source: global traffic	DNS traffic detected: DNS query: heardmanner.net
Source: global traffic	DNS traffic detected: DNS query: difficultanother.net
Source: global traffic	DNS traffic detected: DNS query: heardanother.net
Source: global traffic	DNS traffic detected: DNS query: difficultbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heardbusiness.net
Source: global traffic	DNS traffic detected: DNS query: difficultappear.net
Source: global traffic	DNS traffic detected: DNS query: heardappear.net
Source: global traffic	DNS traffic detected: DNS query: pleasantmanner.net
Source: global traffic	DNS traffic detected: DNS query: necessarymanner.net
Source: global traffic	DNS traffic detected: DNS query: pleasantanother.net
Source: global traffic	DNS traffic detected: DNS query: necessaryanother.net
Source: global traffic	DNS traffic detected: DNS query: pleasantbusiness.net
Source: global traffic	DNS traffic detected: DNS query: necessarybusiness.net
Source: global traffic	DNS traffic detected: DNS query: pleasantappear.net
Source: global traffic	DNS traffic detected: DNS query: necessaryappear.net
Source: global traffic	DNS traffic detected: DNS query: ordermanner.net
Source: global traffic	DNS traffic detected: DNS query: requiremanner.net
Source: global traffic	DNS traffic detected: DNS query: orderanother.net
Source: global traffic	DNS traffic detected: DNS query: requireanother.net
Source: global traffic	DNS traffic detected: DNS query: orderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: requirebusiness.net
Source: global traffic	DNS traffic detected: DNS query: orderappear.net
Source: global traffic	DNS traffic detected: DNS query: requireappear.net
Source: global traffic	DNS traffic detected: DNS query: leadermanner.net
Source: global traffic	DNS traffic detected: DNS query: heavenmanner.net
Source: global traffic	DNS traffic detected: DNS query: leaderanother.net
Source: global traffic	DNS traffic detected: DNS query: heavenanother.net
Source: global traffic	DNS traffic detected: DNS query: leaderbusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavenbusiness.net
Source: global traffic	DNS traffic detected: DNS query: leaderappear.net
Source: global traffic	DNS traffic detected: DNS query: heavenappear.net
Source: global traffic	DNS traffic detected: DNS query: heavymanner.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanner.net
Source: global traffic	DNS traffic detected: DNS query: heavyanother.net
Source: global traffic	DNS traffic detected: DNS query: gentleanother.net
Source: global traffic	DNS traffic detected: DNS query: heavybusiness.net
Source: global traffic	DNS traffic detected: DNS query: gentlebusiness.net
Source: global traffic	DNS traffic detected: DNS query: heavyappear.net
Source: global traffic	DNS traffic detected: DNS query: gentleappear.net
Source: global traffic	DNS traffic detected: DNS query: variousmanner.net
Source: global traffic	DNS traffic detected: DNS query: returnmanner.net
Source: global traffic	DNS traffic detected: DNS query: variousanother.net
Source: global traffic	DNS traffic detected: DNS query: returnanother.net
Source: global traffic	DNS traffic detected: DNS query: variousbusiness.net
Source: global traffic	DNS traffic detected: DNS query: returnbusiness.net
Source: global traffic	DNS traffic detected: DNS query: variousappear.net
Source: global traffic	DNS traffic detected: DNS query: returnappear.net
Source: global traffic	DNS traffic detected: DNS query: degreeinstead.net
Source: global traffic	DNS traffic detected: DNS query: forwardinstead.net
Source: global traffic	DNS traffic detected: DNS query: degreeexplain.net
Source: global traffic	DNS traffic detected: DNS query: forwardexplain.net
Source: global traffic	DNS traffic detected: DNS query: degreebright.net
Source: global traffic	DNS traffic detected: DNS query: forwardbright.net
Source: global traffic	DNS traffic detected: DNS query: degreeinside.net
Source: global traffic	DNS traffic detected: DNS query: forwardinside.net
Source: global traffic	DNS traffic detected: DNS query: answerinstead.net
Source: global traffic	DNS traffic detected: DNS query: glassinstead.net
Source: global traffic	DNS traffic detected: DNS query: answerexplain.net
Source: global traffic	DNS traffic detected: DNS query: glassexplain.net
Source: global traffic	DNS traffic detected: DNS query: answerbright.net
Source: global traffic	DNS traffic detected: DNS query: glassbright.net

Source: svchost.exe, 00000003.00000002.1364436671.0000015A94E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000002.1364628795.0000015A94E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363938257.0000015A94E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364035786.0000015A94E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1364628795.0000015A94E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1363880780.0000015A94E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364587043.0000015A94E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1363744787.0000015A94E86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364643194.0000015A94E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364515591.0000015A94E50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364035786.0000015A94E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1364456012.0000015A94E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363880780.0000015A94E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364587043.0000015A94E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364515591.0000015A94E50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1364107538.0000015A94E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.1364456012.0000015A94E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363880780.0000015A94E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364587043.0000015A94E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364079628.0000015A94E32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dyn
Source: svchost.exe, 00000003.00000003.1364107538.0000015A94E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic
Source: svchost.exe, 00000003.00000003.1364107538.0000015A94E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtu
Source: svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1364049652.0000015A94E34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364456012.0000015A94E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: skjlipudplp.exe, 00000004.00000002.2043452680.0000000001185000.00000004.00000020.00020000.00000000.sdmp, skjlipudplp.exe, 0000000F.00000002.3077820317.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	File created: C:\Windows\vdjmzgowdzhfmld\	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	File created: C:\Windows\vdjmzgowdzhfmld\ceoxltnia	Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

File deleted: C:\Windows\vdjmzgowdzhfmld\ceoxltnia

Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C1D0EB	1_2_00C1D0EB
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0B38E	1_2_00C0B38E
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF7FA0	1_2_00BF7FA0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C248F0	1_2_00C248F0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF9820	1_2_00BF9820
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C13860	1_2_00C13860
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BFD1F0	1_2_00BFD1F0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C00950	1_2_00C00950
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C22170	1_2_00C22170
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C20930	1_2_00C20930
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C202F0	1_2_00C202F0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF2AE0	1_2_00BF2AE0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0C2A0	1_2_00C0C2A0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0D243	1_2_00C0D243
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0D271	1_2_00C0D271
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0422D	1_2_00C0422D
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C06C30	1_2_00C06C30
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BFD446	1_2_00BFD446
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF45C0	1_2_00BF45C0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C236D0	1_2_00C236D0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BFA6F0	1_2_00BFA6F0
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C10670	1_2_00C10670
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C1F790	1_2_00C1F790
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0D79A	1_2_00C0D79A
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0D755	1_2_00C0D755
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0D772	1_2_00C0D772
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C15710	1_2_00C15710
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0D716	1_2_00C0D716
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_0030D0EB	2_2_0030D0EB
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002F0950	2_2_002F0950
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_003136D0	2_2_003136D0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E7FA0	2_2_002E7FA0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FB381	2_2_002FB381
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E9820	2_2_002E9820
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002F6C30	2_2_002F6C30
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_00303860	2_2_00303860
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002ED446	2_2_002ED446
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_003148F0	2_2_003148F0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_00310930	2_2_00310930
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_00312170	2_2_00312170
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002ED1F0	2_2_002ED1F0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E45C0	2_2_002E45C0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002F422D	2_2_002F422D
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_00300670	2_2_00300670
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FD271	2_2_002FD271
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FC2A0	2_2_002FC2A0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_003102F0	2_2_003102F0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E2AE0	2_2_002E2AE0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002EA6F0	2_2_002EA6F0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_00305710	2_2_00305710
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FD716	2_2_002FD716
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FD772	2_2_002FD772
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FD755	2_2_002FD755
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_0030F790	2_2_0030F790
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002FD79A	2_2_002FD79A
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01010950	4_2_01010950
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01016C30	4_2_01016C30
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0102D0EB	4_2_0102D0EB
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101B37D	4_2_0101B37D
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01007FA0	4_2_01007FA0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_010336D0	4_2_010336D0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01002AE0	4_2_01002AE0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01030930	4_2_01030930
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01032170	4_2_01032170
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_010045C0	4_2_010045C0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0100D1F0	4_2_0100D1F0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01009820	4_2_01009820
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0100D446	4_2_0100D446
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01023860	4_2_01023860
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_010348F0	4_2_010348F0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01025710	4_2_01025710
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101D716	4_2_0101D716
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101D755	4_2_0101D755
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101D772	4_2_0101D772
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0102F790	4_2_0102F790
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101D79A	4_2_0101D79A
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101422D	4_2_0101422D
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101D243	4_2_0101D243
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101D271	4_2_0101D271
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01020670	4_2_01020670
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0101C2A0	4_2_0101C2A0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_0100A6F0	4_2_0100A6F0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_010302F0	4_2_010302F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006DD0EB	9_2_006DD0EB
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CB37D	9_2_006CB37D
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B7FA0	9_2_006B7FA0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006D3860	9_2_006D3860
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006BD446	9_2_006BD446
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B9820	9_2_006B9820
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006C6C30	9_2_006C6C30
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006E48F0	9_2_006E48F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006E2170	9_2_006E2170
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006C0950	9_2_006C0950
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006E0930	9_2_006E0930
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006BD1F0	9_2_006BD1F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B45C0	9_2_006B45C0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006D0670	9_2_006D0670
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CD271	9_2_006CD271
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006C422C	9_2_006C422C
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B2AE0	9_2_006B2AE0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006BA6F0	9_2_006BA6F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006E02F0	9_2_006E02F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006E36D0	9_2_006E36D0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CC2A0	9_2_006CC2A0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CD772	9_2_006CD772
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CD755	9_2_006CD755
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CD716	9_2_006CD716
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006D5710	9_2_006D5710
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006CD79A	9_2_006CD79A
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006DF790	9_2_006DF790
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0102D0EB	10_2_0102D0EB
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101B37D	10_2_0101B37D
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01007FA0	10_2_01007FA0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01030930	10_2_01030930
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01010950	10_2_01010950
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01032170	10_2_01032170
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_010045C0	10_2_010045C0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0100D1F0	10_2_0100D1F0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01009820	10_2_01009820
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01016C30	10_2_01016C30
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0100D446	10_2_0100D446
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01023860	10_2_01023860
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_010348F0	10_2_010348F0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01025710	10_2_01025710
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101D716	10_2_0101D716
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101D755	10_2_0101D755
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101D772	10_2_0101D772
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0102F790	10_2_0102F790
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101D79A	10_2_0101D79A
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101422D	10_2_0101422D
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101D243	10_2_0101D243
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101D271	10_2_0101D271
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01020670	10_2_01020670
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0101C2A0	10_2_0101C2A0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_010336D0	10_2_010336D0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01002AE0	10_2_01002AE0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_0100A6F0	10_2_0100A6F0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_010302F0	10_2_010302F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001CD0EB	16_2_001CD0EB
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BB37D	16_2_001BB37D
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A7FA0	16_2_001A7FA0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001B6C30	16_2_001B6C30
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A9820	16_2_001A9820
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001AD446	16_2_001AD446
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001C3860	16_2_001C3860
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001D48F0	16_2_001D48F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001D0930	16_2_001D0930
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001B0950	16_2_001B0950
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001D2170	16_2_001D2170
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A45C0	16_2_001A45C0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001AD1F0	16_2_001AD1F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001B422C	16_2_001B422C
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BD243	16_2_001BD243
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BD271	16_2_001BD271
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001C0670	16_2_001C0670
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BC2A0	16_2_001BC2A0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001D36D0	16_2_001D36D0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001AA6F0	16_2_001AA6F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001D02F0	16_2_001D02F0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A2AE0	16_2_001A2AE0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001C5710	16_2_001C5710
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BD716	16_2_001BD716
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BD755	16_2_001BD755
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BD772	16_2_001BD772
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001BD79A	16_2_001BD79A
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001CF790	16_2_001CF790

Source: YiqjcLlhew.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/6@335/5

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	1_2_00BF53B0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	2_2_002E53B0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_010053B0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	9_2_006B53B0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_010053B0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	16_2_001A53B0

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00C10250 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00C10250

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00BF53B0 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

1_2_00BF53B0

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF6430 StartServiceCtrlDispatcherA,	1_2_00BF6430
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E6430 StartServiceCtrlDispatcherA,	2_2_002E6430
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01006430 StartServiceCtrlDispatcherA,	4_2_01006430
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B6430 StartServiceCtrlDispatcherA,	9_2_006B6430
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01006430 StartServiceCtrlDispatcherA,	10_2_01006430
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A6430 StartServiceCtrlDispatcherA,	16_2_001A6430

Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2056:120:WilError_03

Source: C:\Program Files\Windows Defender\MpCmdRun.exe

File created: C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\MpCmdRun.log

Jump to behavior

Source: YiqjcLlhew.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YiqjcLlhew.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

File read: C:\Users\user\Desktop\YiqjcLlhew.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YiqjcLlhew.exe "C:\Users\user\Desktop\YiqjcLlhew.exe"
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Process created: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe "C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe C:\vdjmzgowdzhfmld\skjlipudplp.exe
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Process created: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe "C:\vdjmzgowdzhfmld\skjlipudplp.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Process created: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Process created: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe "C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe"	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe "C:\vdjmzgowdzhfmld\skjlipudplp.exe"	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Process created: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe "c:\vdjmzgowdzhfmld\skjlipudplp.exe"	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Process created: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Process created: C:\vdjmzgowdzhfmld\skjlipudplp.exe "c:\vdjmzgowdzhfmld\skjlipudplp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: YiqjcLlhew.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00C236D0 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

1_2_00C236D0

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C190D3 push es; iretd	1_2_00C190D9
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C02094 push cs; ret	1_2_00C02095
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0206B push edx; ret	1_2_00C0206C
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C039C1 push esp; ret	1_2_00C039C2
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C03A90 push eax; ret	1_2_00C03A92
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C02A2B push 0000002Bh; ret	1_2_00C02A2D
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C03344 push es; ret	1_2_00C03345
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C03314 push cs; ret	1_2_00C03315
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C03319 push cs; ret	1_2_00C0331A
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C03454 push 0D00C2D7h; ret	1_2_00C03459
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C0246A push es; ret	1_2_00C0246B
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C035C5 push es; ret	1_2_00C035C6
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C03D27 pushfd ; ret	1_2_00C03D28
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C01EC1 pushfd ; ret	1_2_00C01EC3
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C026CC push ds; ret	1_2_00C026D2
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00C01FFD push ebx; ret	1_2_00C01FFE
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002F1C5F pushfd ; retn 0031h	2_2_002F1C60
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002F3454 push 0D0031D7h; ret	2_2_002F3459
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_003090D3 push es; iretd	2_2_003090D9
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002F2A2B push 0000002Bh; ret	2_2_002F2A2D
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01013454 push 0D0103D7h; ret	4_2_01013459
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_010290D3 push es; iretd	4_2_010290D9
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01012A2B push 0000002Bh; ret	4_2_01012A2D
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006C1C5F pushfd ; retn 006Eh	9_2_006C1C60
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006C3454 push 0D006ED7h; ret	9_2_006C3459
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006D90D3 push es; iretd	9_2_006D90D9
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006C2A2B push 0000002Bh; ret	9_2_006C2A2D
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01013454 push 0D0103D7h; ret	10_2_01013459
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_010290D3 push es; iretd	10_2_010290D9
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01012A2B push 0000002Bh; ret	10_2_01012A2D
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001B1C5F pushfd ; retn 001Dh	16_2_001B1C60

Source: YiqjcLlhew.exe	Static PE information: section name: .text entropy: 6.868137010503397
Source: kfdag3t9jukjqfngi9xbw.exe.1.dr	Static PE information: section name: .text entropy: 6.868137010503397
Source: skjlipudplp.exe.2.dr	Static PE information: section name: .text entropy: 6.868137010503397
Source: xmjofjnkdlv.exe.4.dr	Static PE information: section name: .text entropy: 6.868137010503397

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	File created: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	File created: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Jump to dropped file
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	File created: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Jump to dropped file

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00BF53B0 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

1_2_00BF53B0

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	1_2_00C062D0
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	2_2_002F62D0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_010162D0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	9_2_006C62D0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_010162D0
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	16_2_001B62D0

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		2_2_003136D0
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		4_2_010336D0

Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Window / User API: threadDelayed 651	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Window / User API: threadDelayed 1224	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Window / User API: threadDelayed 626	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Window / User API: threadDelayed 1250	Jump to behavior

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_2-12213
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_1-12453
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_10-12352
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_9-12487

Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_9-10982
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_2-11069
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_4-11435
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_1-11444

Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe TID: 6308	Thread sleep time: -35552s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 2676	Thread sleep count: 651 > 30	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 2676	Thread sleep time: -651000s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 2676	Thread sleep count: 1224 > 30	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 2676	Thread sleep time: -1224000s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe TID: 2332	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe TID: 2168	Thread sleep time: -35552s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe TID: 2332	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 4268	Thread sleep count: 626 > 30	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 4268	Thread sleep time: -626000s >= -30000s	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 4268	Thread sleep count: 1250 > 30	Jump to behavior
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe TID: 4268	Thread sleep time: -1250000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	Code function: 1_2_00BF3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00BF3740
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	Code function: 2_2_002E3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_002E3740
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 4_2_01003740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_01003740
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 9_2_006B3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_006B3740
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Code function: 10_2_01003740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_01003740
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	Code function: 16_2_001A3740 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_001A3740

Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: skjlipudplp.exe, 0000000F.00000002.3077820317.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: skjlipudplp.exe, 00000004.00000002.2043452680.000000000117A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: svchost.exe, 00000007.00000002.3115652130.00000137A342B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000007.00000002.3115918790.00000137A348C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3115488483.00000137A3402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000007.00000002.3115918790.00000137A348C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3115994277.00000137A3502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3115918790.00000137A348C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: xmjofjnkdlv.exe.4.dr	Binary or memory string: Ogrleg mojpiwclu hgohensv gcpiejjg jodgipweki wnbobpgecx dsogobetfu jtdubbcems jmfev gvsoec dzjivmci clazigzd uazmga eovw frsou ujcmomdg bbxux jrkakam dkmome vaoceuui bur ggohoalduo xsucerb ninonoadcd ecpoey mgpidsyue bungiy mho zvo lpwap gsoijedge xylojggey polfuul ffmica ewwvoaku fpneripja drjevim ocv nylenmzo fdyiof kgpuosc arinyiblpu itc sfyeshege dre cglumcx vjjafy euenspiocf linbege lno gccuzomzek wdvulklu ncde fhjeurlw cpnejsp todpildsa tppafg qdzi ugpmohpt cgc rsmemlosi shpaofmge csfefi fzroldm fjafapd jjgiepjucu rinjiwib jaocupi nifimiou rguhiun uaglyipret ffsedei bulejucgm doncilsna vntigpjeag zcep mcuinu adj lmdexcokic mgvinfgug funfo dxueloudi beppie askqum jmidinbqi rvyanue jmxa qdozau cbdacfvuu baziwilt pcgasjn iuxmdip gfmama bnama cdf lva fviaab bogg lbide lsesommmuv iwjdea lpfaortio pxcu gblulmn lxr mupjaeao pbf jeifgo panuec pgyia j?'
Source: svchost.exe, 00000007.00000002.3115744735.00000137A3453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: kfdag3t9jukjqfngi9xbw.exe, 00000002.00000002.1289494680.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: svchost.exe, 0000000B.00000002.3115763849.000001DE82C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\YiqjcLlhew.exe	API call chain: ExitProcess graph end node	graph_1-11226
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	API call chain: ExitProcess graph end node	graph_1-11165
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	API call chain: ExitProcess graph end node	graph_1-11136
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	API call chain: ExitProcess graph end node	graph_1-11146
Source: C:\Users\user\Desktop\YiqjcLlhew.exe	API call chain: ExitProcess graph end node	graph_1-11038
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-10659
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-10626
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-11448
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-10595
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-10689
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-10653
Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	API call chain: ExitProcess graph end node	graph_2-10605
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-11011
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-11041
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-11023
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-11004
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-10941
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-10952
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-10971
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_4-10842
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node	graph_9-10660
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node	graph_9-10670
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node	graph_9-10686
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node	graph_9-11660
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node	graph_9-10709
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_10-11023
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_10-10876
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_10-11001
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_10-11062
Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe	API call chain: ExitProcess graph end node	graph_10-10973
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node
Source: C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	API call chain: ExitProcess graph end node

Source: C:\vdjmzgowdzhfmld\skjlipudplp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00C236D0 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

1_2_00C236D0

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00C259B0 GetProcessHeap,RtlFreeHeap,

1_2_00C259B0

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00C11510 AllocateAndInitializeSid,CheckTokenMembership,

1_2_00C11510

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00BF7A90 GetSystemTimeAsFileTime,__aulldiv,

1_2_00BF7A90

Source: C:\Users\user\Desktop\YiqjcLlhew.exe

Code function: 1_2_00BF7FA0 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

1_2_00BF7FA0

Source: C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: svchost.exe, 00000008.00000002.3116349878.00000168AD302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.3116349878.00000168AD302000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	14 Windows Service	14 Windows Service	2 Obfuscated Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Process Injection	1 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
YiqjcLlhew.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
YiqjcLlhew.exe	100%	Avira	TR/Nivdort.Gen2
YiqjcLlhew.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	100%	Avira	TR/Nivdort.Gen2
C:\vdjmzgowdzhfmld\skjlipudplp.exe	100%	Avira	TR/Nivdort.Gen2
C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	100%	Avira	TR/Nivdort.Gen2
C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	100%	Joe Sandbox ML
C:\vdjmzgowdzhfmld\skjlipudplp.exe	100%	Joe Sandbox ML
C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	100%	Joe Sandbox ML
C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\vdjmzgowdzhfmld\skjlipudplp.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe	92%	ReversingLabs	Win32.Spyware.Nivdort

Source	Detection	Scanner	Label
https://t0.ssl.ak.dyn	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
degreedaughter.net	85.214.228.140	true	false	high
7450.bodis.com	199.59.243.227	true	false	high
gentleanother.net	54.244.188.177	true	false	high
returnbottle.net	18.143.155.63	true	false	high
difficultpeople.net	13.248.169.48	true	false	unknown
pleasantinstead.net	18.143.155.63	true	false	high
forwardpeople.net	unknown	unknown	false	high
degreeanother.net	unknown	unknown	false	high
degreeexplain.net	unknown	unknown	false	high
heaveninside.net	unknown	unknown	false	high
answerappear.net	unknown	unknown	false	high
heavybusiness.net	unknown	unknown	false	high
pleasantinside.net	unknown	unknown	false	high
requirebusiness.net	unknown	unknown	false	high
forwardinside.net	unknown	unknown	false	high
glassmanner.net	unknown	unknown	false	high
answerexplain.net	unknown	unknown	false	high
orderinside.net	unknown	unknown	false	high
variousappear.net	unknown	unknown	false	high
returnbright.net	unknown	unknown	false	high
difficultanother.net	unknown	unknown	false	high
heavyinside.net	unknown	unknown	false	high
forwardready.net	unknown	unknown	false	high
glassdaughter.net	unknown	unknown	false	high
necessarymanner.net	unknown	unknown	false	high
answeranother.net	unknown	unknown	false	high
leadermanner.net	unknown	unknown	false	high
heavybottle.net	unknown	unknown	false	high
heavenbright.net	unknown	unknown	false	high
heavydivide.net	unknown	unknown	false	high
degreebrown.net	unknown	unknown	false	high
gentleinstead.net	unknown	unknown	false	high
glassanother.net	unknown	unknown	false	high
heavenanother.net	unknown	unknown	false	high
difficultdaughter.net	unknown	unknown	true	unknown
difficultmanner.net	unknown	unknown	false	high
necessarypeople.net	unknown	unknown	true	unknown
glassexplain.net	unknown	unknown	false	high
pleasantpeople.net	unknown	unknown	true	unknown
requireinside.net	unknown	unknown	false	high
heavenexplain.net	unknown	unknown	false	high
forwardbusiness.net	unknown	unknown	false	high
difficultexplain.net	unknown	unknown	false	high
gentleappear.net	unknown	unknown	false	high
pleasantbright.net	unknown	unknown	false	high
returnexplain.net	unknown	unknown	false	high
pleasantready.net	unknown	unknown	true	unknown
gentlemanner.net	unknown	unknown	false	high
answerdaughter.net	unknown	unknown	false	high
heardinside.net	unknown	unknown	false	high
requiremanner.net	unknown	unknown	false	high
gentleexplain.net	unknown	unknown	false	high
glassappear.net	unknown	unknown	false	high
necessaryanother.net	unknown	unknown	false	high
glassinside.net	unknown	unknown	false	high
difficultbright.net	unknown	unknown	false	high
heardbrown.net	unknown	unknown	true	unknown
glasspeople.net	unknown	unknown	false	high
requireinstead.net	unknown	unknown	false	high
necessaryinside.net	unknown	unknown	false	high
returndivide.net	unknown	unknown	false	high
heardinstead.net	unknown	unknown	false	high
variousbright.net	unknown	unknown	false	high
degreebusiness.net	unknown	unknown	false	high
answerbusiness.net	unknown	unknown	false	high
heavenbusiness.net	unknown	unknown	false	high
gentledivide.net	unknown	unknown	false	high
variousinstead.net	unknown	unknown	false	high
gentlestream.net	unknown	unknown	false	high
pleasantmanner.net	unknown	unknown	false	high
necessaryappear.net	unknown	unknown	false	high
heardpeople.net	unknown	unknown	true	unknown
pleasantbusiness.net	unknown	unknown	false	high
heardbright.net	unknown	unknown	false	high
heavenbottle.net	unknown	unknown	false	high
heavynothing.net	unknown	unknown	false	high
gentlebusiness.net	unknown	unknown	false	high
ordermanner.net	unknown	unknown	false	high
leaderbottle.net	unknown	unknown	false	high
pleasantanother.net	unknown	unknown	false	high
heavyanother.net	unknown	unknown	false	high
degreeinstead.net	unknown	unknown	false	high
degreepeople.net	unknown	unknown	false	high
answerready.net	unknown	unknown	false	high
difficultbrown.net	unknown	unknown	true	unknown
answerbright.net	unknown	unknown	false	high
heavennothing.net	unknown	unknown	false	high
returninside.net	unknown	unknown	false	high
forwardbright.net	unknown	unknown	false	high
difficultinside.net	unknown	unknown	false	high
heavybright.net	unknown	unknown	false	high
pleasantdaughter.net	unknown	unknown	true	unknown
leaderanother.net	unknown	unknown	false	high
returninstead.net	unknown	unknown	false	high
difficultinstead.net	unknown	unknown	false	high
heavenappear.net	unknown	unknown	false	high
answerinside.net	unknown	unknown	false	high
degreebright.net	unknown	unknown	false	high
orderready.net	unknown	unknown	true	unknown
forwardbrown.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000003.00000003.1363880780.0000015A94E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364587043.0000015A94E68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000003.00000003.1363744787.0000015A94E86000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364643194.0000015A94E88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000003.00000002.1364456012.0000015A94E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363880780.0000015A94E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364587043.0000015A94E68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364515591.0000015A94E50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1364049652.0000015A94E34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1364628795.0000015A94E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363938257.0000015A94E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364035786.0000015A94E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000002.1364456012.0000015A94E2B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	skjlipudplp.exe, 00000004.00000002.2043452680.0000000001185000.00000004.00000020.00020000.00000000.sdmp, skjlipudplp.exe, 0000000F.00000002.3077820317.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dyn	svchost.exe, 00000003.00000003.1364079628.0000015A94E32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000003.00000002.1364529567.0000015A94E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic	svchost.exe, 00000003.00000003.1364107538.0000015A94E43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000003.00000002.1364436671.0000015A94E13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000003.00000002.1364545190.0000015A94E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364093528.0000015A94E57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364063118.0000015A94E52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1364571516.0000015A94E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364515591.0000015A94E50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364035786.0000015A94E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtu	svchost.exe, 00000003.00000003.1364107538.0000015A94E43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000002.1364456012.0000015A94E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363880780.0000015A94E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364587043.0000015A94E68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000003.00000002.1364628795.0000015A94E81000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1364107538.0000015A94E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1363895726.0000015A94E62000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	difficultpeople.net	United States	16509	AMAZON-02US	false
18.143.155.63	returnbottle.net	United States	16509	AMAZON-02US	false
85.214.228.140	degreedaughter.net	Germany	6724	STRATOSTRATOAGDE	false
199.59.243.227	7450.bodis.com	United States	395082	BODIS-NJUS	false
54.244.188.177	gentleanother.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551217
Start date and time:	2024-11-07 16:03:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YiqjcLlhew.exe renamed because original name is a hash value
Original Sample Name:	e01a1e921ef924c2e1407fae1f09ec200cdb144973f431e81440e39b1005a9ce.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/6@335/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 83 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: YiqjcLlhew.exe

Simulations

Behavior and APIs

Time	Type	Description
11:50:02	API Interceptor	3689x Sleep call for process: xmjofjnkdlv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	difficultpeople.net/index.php
	Y7isAhMKal.exe	Get hash	malicious	FormBook	Browse	www.how2.guru/20wk/
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.sonoscan.org/ew98/
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	www.solidarity.rocks/hezo/
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	www.virtu.industries/uln2/
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	www.telforce.one/ykhz/
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	www.ulula.org/4w1b/
	IbRV4I7MrS.exe	Get hash	malicious	FormBook	Browse	www.ila.beauty/izfe/
	p4rsJEIb7k.exe	Get hash	malicious	FormBook	Browse	www.notepad.mobi/zut6/?Q2_4=Kt4qQSLgj4HorxpxZIZ4p+EAwKHWi+XN9OiBuCBJU5cikXkc2Sk5R2gtgSdO+P2tW+5SfoOeVCvwWIOnLXM8QNp6yDsCjrxQ3ZxiPCiDnoMvdK5RCpNRC70=&uXP=1HX8
	r6lOHDg9N9.exe	Get hash	malicious	FormBook	Browse	www.polarmuseum.info/9u26/
18.143.155.63	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	pleasantinstead.net/index.php
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	returnbottle.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gentleanother.net	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
returnbottle.net	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	18.143.155.63
degreedaughter.net	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
7450.bodis.com	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
STRATOSTRATOAGDE	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	85.214.228.140
AMAZON-02US	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	m8P4HaY7dU.vbs	Get hash	malicious	Unknown	Browse	18.226.186.214
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
BODIS-NJUS	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	8CO4P3HwDt.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	nnzZhhVIqM.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	66HKNPT1fl.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	BNGj6QoBjK.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PORgjGswYg.exe	Get hash	malicious	Unknown	Browse	199.59.243.227

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2522014223315048
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rY3+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxb:FaqdF7G+AAHdKoqKFxcxkFm
MD5:	5E6B9870FB59E0BC5B3E1E8291C27BA3
SHA1:	DBEB964C5A865D69E63E11C63D2C6B982DDFC6FE
SHA-256:	636C0E6E65A624610C943209086BE5F0ED923735F8E465574592EC5E63CDACCD
SHA-512:	8440E77988088EE1AF58B21A32459D8FAA2981F8BA0975A43C680F629182B365E1FBB5A8DF96593CF6DEE552D731A83C8A8F0724E139659984A72D81706FC7A5
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. N.o.v. .. 0.7. .. 2.0.2.4. .1.1.:.5.0.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\vdjmzgowdzhfmld\ceoxltnia

Download File

Process:	C:\Users\user\Desktop\YiqjcLlhew.exe
File Type:	Non-ISO extended-ASCII text
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:ign:ig
MD5:	848E1C84F4DAA882C9652ECE27785309
SHA1:	B87C783FEE5FE47917E533D4995701851ED25EE2
SHA-256:	3B8F78C362F113BCD28891E0E1195F4D2B98AB523B1C6E0FEA7B74FC0A7AF5AA
SHA-512:	2276401873F5713355A0ECF990A72CD402D1CD432ECF971637E4239D8DE877BB485B87A35A4DB94E29621B64A94AC0A6F566259CBC5742A088F07969F35A7FC9
Malicious:	false
Preview:	..`s.b1.

C:\vdjmzgowdzhfmld\ceoxltnia

Download File

Process:	C:\Users\user\Desktop\YiqjcLlhew.exe
File Type:	Non-ISO extended-ASCII text
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:ign:ig
MD5:	848E1C84F4DAA882C9652ECE27785309
SHA1:	B87C783FEE5FE47917E533D4995701851ED25EE2
SHA-256:	3B8F78C362F113BCD28891E0E1195F4D2B98AB523B1C6E0FEA7B74FC0A7AF5AA
SHA-512:	2276401873F5713355A0ECF990A72CD402D1CD432ECF971637E4239D8DE877BB485B87A35A4DB94E29621B64A94AC0A6F566259CBC5742A088F07969F35A7FC9
Malicious:	false
Preview:	..`s.b1.

C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe

Download File

Process:	C:\Users\user\Desktop\YiqjcLlhew.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282112
Entropy (8bit):	7.143656205471311
Encrypted:	false
SSDEEP:	6144:0u5QPgyknFyneuvNYXK/+w6doLOjO3+0UnGiE7saNZ:KPgnnEnh1GNsO49UGX7saP
MD5:	F51DA33B8F97EC40E1960522549DCCA7
SHA1:	001FFE1D668E5131CEF1F105BFEDE3780C123EF8
SHA-256:	E01A1E921EF924C2E1407FAE1F09EC200CDB144973F431E81440E39B1005A9CE
SHA-512:	A3C31FDD2C71A21EA007860E13860D79746BEC527D31B200D7905569DDC1A4495DD0C0440B1E9EF97D61BBB1B91367DDFDF87F583B96ED60E8C5A44DE43F1684
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i..............%\|.................................Rich............PE..L....-.V.................\...>.......U.......p....@.......................................@....................................P............................ .......................................................p..\|............................text....[.......\.................. ..`.rdata...H...p...J...`..............@..@.data...lP..........................@....reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\vdjmzgowdzhfmld\skjlipudplp.exe

Download File

Process:	C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282112
Entropy (8bit):	7.143656205471311
Encrypted:	false
SSDEEP:	6144:0u5QPgyknFyneuvNYXK/+w6doLOjO3+0UnGiE7saNZ:KPgnnEnh1GNsO49UGX7saP
MD5:	F51DA33B8F97EC40E1960522549DCCA7
SHA1:	001FFE1D668E5131CEF1F105BFEDE3780C123EF8
SHA-256:	E01A1E921EF924C2E1407FAE1F09EC200CDB144973F431E81440E39B1005A9CE
SHA-512:	A3C31FDD2C71A21EA007860E13860D79746BEC527D31B200D7905569DDC1A4495DD0C0440B1E9EF97D61BBB1B91367DDFDF87F583B96ED60E8C5A44DE43F1684
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i..............%\|.................................Rich............PE..L....-.V.................\...>.......U.......p....@.......................................@....................................P............................ .......................................................p..\|............................text....[.......\.................. ..`.rdata...H...p...J...`..............@..@.data...lP..........................@....reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe

Download File

Process:	C:\vdjmzgowdzhfmld\skjlipudplp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282112
Entropy (8bit):	7.143656205471311
Encrypted:	false
SSDEEP:	6144:0u5QPgyknFyneuvNYXK/+w6doLOjO3+0UnGiE7saNZ:KPgnnEnh1GNsO49UGX7saP
MD5:	F51DA33B8F97EC40E1960522549DCCA7
SHA1:	001FFE1D668E5131CEF1F105BFEDE3780C123EF8
SHA-256:	E01A1E921EF924C2E1407FAE1F09EC200CDB144973F431E81440E39B1005A9CE
SHA-512:	A3C31FDD2C71A21EA007860E13860D79746BEC527D31B200D7905569DDC1A4495DD0C0440B1E9EF97D61BBB1B91367DDFDF87F583B96ED60E8C5A44DE43F1684
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i..............%\|.................................Rich............PE..L....-.V.................\...>.......U.......p....@.......................................@....................................P............................ .......................................................p..\|............................text....[.......\.................. ..`.rdata...H...p...J...`..............@..@.data...lP..........................@....reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.143656205471311
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YiqjcLlhew.exe
File size:	282'112 bytes
MD5:	f51da33b8f97ec40e1960522549dcca7
SHA1:	001ffe1d668e5131cef1f105bfede3780c123ef8
SHA256:	e01a1e921ef924c2e1407fae1f09ec200cdb144973f431e81440e39b1005a9ce
SHA512:	a3c31fdd2c71a21ea007860e13860d79746bec527d31b200d7905569ddc1a4495dd0c0440b1e9ef97d61bbb1b91367ddfdf87f583b96ed60e8c5a44de43f1684
SSDEEP:	6144:0u5QPgyknFyneuvNYXK/+w6doLOjO3+0UnGiE7saNZ:KPgnnEnh1GNsO49UGX7saP
TLSH:	D2548C55C9BA542ECC525EFD85AA3B72FCAF1072A7E805C3938230D0A4602F8DB76757
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i..............%\|.....................................Rich............PE..L....-.V.................\...>.......U.......p....@

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x425510
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x56892DF4 [Sun Jan 3 14:19:32 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fd660912aa6dbf67a78c3e4af3a5d215

Entrypoint Preview

Instruction
fld dword ptr [004790DCh]
fld dword ptr [0047DDD0h]
fmul qword ptr [004635D8h]
fadd dword ptr [00474998h]
fxch st(0), st(1)
fucomip st(0), st(1)
fstp st(0)
lahf
test ah, 00000044h
jnp 00007F9ED87DE504h
fld dword ptr [0047C3CCh]
fmul qword ptr [004588E0h]
fstp dword ptr [0047C3CCh]
call 00007F9ED87C483Ah
mov eax, dword ptr [00446434h]
imul eax, eax, 9882A734h
mov dword ptr [00446434h], eax
call 00007F9ED87DFB75h
push 00437184h
fld dword ptr [00474484h]
push 0043717Ch
fld qword ptr [00463938h]
fld dword ptr [0047977Ch]
fmulp st(2), st(0)
fsubrp st(1), st(0)
fstp dword ptr [00475624h]
fld dword ptr [0047977Ch]
fsub qword ptr [0043B0B0h]
fstp dword ptr [0047977Ch]
call 00007F9ED87EADC8h
mov cx, word ptr [0046FA0Ch]
mov edx, dword ptr [0043FF54h]
dec word ptr [0046FA0Ch]
imul edx, edx, ABEE16C1h
movsx eax, cx
sub eax, 0FAF8D35h
and eax, 1399A9A9h
and edx, CDFEA84Fh
add esp, 08h
cmp edx, eax
jnle 00007F9ED87DE50Fh
mov eax, dword ptr [0043F104h]
mov ecx, dword ptr [00000000h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b0e8	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0x9e1c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x35bea	0x35c00	50375fc1d8dd7a60063c581b5c9ced1b	False	0.6988235828488372	data	6.868137010503397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0x48f4	0x4a00	55ae83737777b356f3e01b6037c5df9e	False	0.8528821790540541	data	7.170520001196571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3c000	0x4506c	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x82000	0xa12e	0xa200	3af76855a0826f29034716a6eb8b96c5	False	0.6822675540123457	data	6.81111315269099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	GetClipRgn, GetStretchBltMode, GetPixelFormat, GetNearestPaletteIndex, GetNearestColor, GetTextCharacterExtra, GetTextCharset, SetSystemPaletteUse, GetMetaRgn, GetRandomRgn, GetMapMode, GetBkColor, GetDeviceCaps, GetFontLanguageInfo, SetTextJustification, GetObjectType, GetGraphicsMode, GetCurrentObject, GetFontUnicodeRanges, GetDCPenColor, GetDCBrushColor, GetSystemPaletteUse, GetPolyFillMode
USER32.dll	GetMenuItemID, ShowWindow, SendMessageA, GetDlgItemInt, GetScrollPos, GetMenuState, IsWindowEnabled, GetForegroundWindow, GetCursor, GetMenuItemCount, GetDlgItem, EndDialog, CheckDlgButton, GetWindowContextHelpId, MoveWindow, SetDlgItemTextA, SetFocus, DrawTextA, EnableWindow, RemovePropA, PostMessageA, GetQueueStatus, SetWindowTextA, EndPaint, IsWindowUnicode, BeginPaint, CallWindowProcA, GetPropA, GetMenuCheckMarkDimensions, GetKeyboardType, LoadIconA, GetInputState, GetMenu, WindowFromDC, GetDC, GetWindowDC, GetMenuContextHelpId
KERNEL32.dll	HeapAlloc, GetFileTime, WriteFile, GetCurrentThreadId, GetLastError, IsProcessorFeaturePresent, GetModuleHandleA, FlushFileBuffers, DeleteFileA, IsDebuggerPresent, GlobalSize, GetCurrentProcess, LockResource, MoveFileA, GlobalAlloc, CloseHandle, GetCurrentProcessId, SizeofResource, LocalFlags, GetDriveTypeA, GetTickCount, FindClose, GlobalHandle, GetFileType, GetVersion, GlobalFlags, QueryPerformanceCounter, FindResourceA, GetStdHandle, GetProcAddress, SetFilePointer, GetProcessHeap

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T16:04:54.762478+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.7	49699	199.59.243.227	80	TCP
2024-11-07T16:04:54.762478+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.7	49699	199.59.243.227	80	TCP
2024-11-07T16:04:57.711974+0100	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	1	1.1.1.1	53	192.168.2.7	62685	UDP
2024-11-07T16:04:57.989454+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.7	54957	UDP
2024-11-07T16:04:59.173639+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.7	49702	TCP
2024-11-07T16:04:59.173639+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.7	49702	TCP
2024-11-07T16:05:03.942656+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.143.155.63	80	192.168.2.7	57893	TCP
2024-11-07T16:05:03.942656+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.143.155.63	80	192.168.2.7	57893	TCP
2024-11-07T16:05:06.584363+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.7	57908	TCP
2024-11-07T16:05:44.687430+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.7	58082	TCP
2024-11-07T16:06:13.889430+0100	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	1	192.168.2.7	58142	199.59.243.227	80	TCP
2024-11-07T16:06:13.889430+0100	2820680	ETPRO MALWARE W32/Bayrob Attempted Checkin 2	1	192.168.2.7	58142	199.59.243.227	80	TCP
2024-11-07T16:06:18.908489+0100	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	1	1.1.1.1	53	192.168.2.7	61860	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 16:04:54.114063978 CET	49699	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:04:54.119014025 CET	80	49699	199.59.243.227	192.168.2.7
Nov 7, 2024 16:04:54.122404099 CET	49699	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:04:54.122488976 CET	49699	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:04:54.127326012 CET	80	49699	199.59.243.227	192.168.2.7
Nov 7, 2024 16:04:54.762036085 CET	80	49699	199.59.243.227	192.168.2.7
Nov 7, 2024 16:04:54.762058973 CET	80	49699	199.59.243.227	192.168.2.7
Nov 7, 2024 16:04:54.762439966 CET	80	49699	199.59.243.227	192.168.2.7
Nov 7, 2024 16:04:54.762478113 CET	49699	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:04:54.762521982 CET	49699	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:04:54.762569904 CET	49699	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:04:54.767394066 CET	80	49699	199.59.243.227	192.168.2.7
Nov 7, 2024 16:04:55.225203991 CET	49700	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:04:55.230006933 CET	80	49700	18.143.155.63	192.168.2.7
Nov 7, 2024 16:04:55.230104923 CET	49700	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:04:55.230233908 CET	49700	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:04:55.235021114 CET	80	49700	18.143.155.63	192.168.2.7
Nov 7, 2024 16:04:56.689035892 CET	80	49700	18.143.155.63	192.168.2.7
Nov 7, 2024 16:04:56.736439943 CET	49700	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:04:57.108383894 CET	80	49700	18.143.155.63	192.168.2.7
Nov 7, 2024 16:04:57.108510971 CET	49700	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:04:57.108567953 CET	49700	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:04:57.113440990 CET	80	49700	18.143.155.63	192.168.2.7
Nov 7, 2024 16:04:58.217560053 CET	49702	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:04:58.222623110 CET	80	49702	54.244.188.177	192.168.2.7
Nov 7, 2024 16:04:58.222695112 CET	49702	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:04:58.222752094 CET	49702	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:04:58.227790117 CET	80	49702	54.244.188.177	192.168.2.7
Nov 7, 2024 16:04:59.054225922 CET	80	49702	54.244.188.177	192.168.2.7
Nov 7, 2024 16:04:59.095752001 CET	49702	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:04:59.173639059 CET	80	49702	54.244.188.177	192.168.2.7
Nov 7, 2024 16:04:59.173705101 CET	49702	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:04:59.173835993 CET	49702	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:04:59.178610086 CET	80	49702	54.244.188.177	192.168.2.7
Nov 7, 2024 16:05:00.157984018 CET	49713	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:05:00.162780046 CET	80	49713	199.59.243.227	192.168.2.7
Nov 7, 2024 16:05:00.162852049 CET	49713	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:05:00.162895918 CET	49713	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:05:00.167635918 CET	80	49713	199.59.243.227	192.168.2.7
Nov 7, 2024 16:05:00.821821928 CET	80	49713	199.59.243.227	192.168.2.7
Nov 7, 2024 16:05:00.821846008 CET	80	49713	199.59.243.227	192.168.2.7
Nov 7, 2024 16:05:00.821913004 CET	49713	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:05:00.822402000 CET	80	49713	199.59.243.227	192.168.2.7
Nov 7, 2024 16:05:00.824769974 CET	49713	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:05:00.828676939 CET	49713	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:05:00.833540916 CET	80	49713	199.59.243.227	192.168.2.7
Nov 7, 2024 16:05:02.072386026 CET	57893	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:05:02.077435970 CET	80	57893	18.143.155.63	192.168.2.7
Nov 7, 2024 16:05:02.077533960 CET	57893	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:05:02.077590942 CET	57893	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:05:02.082468033 CET	80	57893	18.143.155.63	192.168.2.7
Nov 7, 2024 16:05:03.519365072 CET	80	57893	18.143.155.63	192.168.2.7
Nov 7, 2024 16:05:03.564460993 CET	57893	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:05:03.942656040 CET	80	57893	18.143.155.63	192.168.2.7
Nov 7, 2024 16:05:03.942737103 CET	57893	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:05:03.942820072 CET	57893	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:05:03.948371887 CET	80	57893	18.143.155.63	192.168.2.7
Nov 7, 2024 16:05:04.898952007 CET	57910	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:05:04.904232025 CET	80	57910	85.214.228.140	192.168.2.7
Nov 7, 2024 16:05:04.904362917 CET	57910	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:05:04.904403925 CET	57910	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:05:04.909315109 CET	80	57910	85.214.228.140	192.168.2.7
Nov 7, 2024 16:05:05.774672985 CET	80	57910	85.214.228.140	192.168.2.7
Nov 7, 2024 16:05:05.782511950 CET	57910	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:05:05.788260937 CET	80	57910	85.214.228.140	192.168.2.7
Nov 7, 2024 16:05:05.788330078 CET	57910	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:05:06.102709055 CET	57918	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:05:06.109411001 CET	80	57918	13.248.169.48	192.168.2.7
Nov 7, 2024 16:05:06.109520912 CET	57918	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:05:06.109601021 CET	57918	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:05:06.115005016 CET	80	57918	13.248.169.48	192.168.2.7
Nov 7, 2024 16:05:06.771162987 CET	80	57918	13.248.169.48	192.168.2.7
Nov 7, 2024 16:05:06.771286964 CET	57918	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:05:06.776700020 CET	80	57918	13.248.169.48	192.168.2.7
Nov 7, 2024 16:05:06.776758909 CET	57918	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:06:13.244801044 CET	58142	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:13.250037909 CET	80	58142	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:13.250207901 CET	58142	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:13.250207901 CET	58142	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:13.255532980 CET	80	58142	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:13.889210939 CET	80	58142	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:13.889235020 CET	80	58142	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:13.889430046 CET	58142	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:13.889761925 CET	80	58142	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:13.889873028 CET	58142	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:13.889945030 CET	58142	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:13.894798994 CET	80	58142	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:13.934396982 CET	58143	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:13.939275980 CET	80	58143	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:13.939409971 CET	58143	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:13.939496040 CET	58143	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:13.944312096 CET	80	58143	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:15.414011955 CET	80	58143	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:15.455346107 CET	58143	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:15.836807013 CET	80	58143	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:15.836877108 CET	58143	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:15.836929083 CET	58143	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:15.842331886 CET	80	58143	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:17.816056013 CET	58144	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:06:17.820986986 CET	80	58144	54.244.188.177	192.168.2.7
Nov 7, 2024 16:06:17.821110010 CET	58144	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:06:17.821192026 CET	58144	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:06:17.826046944 CET	80	58144	54.244.188.177	192.168.2.7
Nov 7, 2024 16:06:18.657655954 CET	80	58144	54.244.188.177	192.168.2.7
Nov 7, 2024 16:06:18.705281019 CET	58144	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:06:18.777640104 CET	80	58144	54.244.188.177	192.168.2.7
Nov 7, 2024 16:06:18.777889967 CET	58144	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:06:18.778032064 CET	58144	80	192.168.2.7	54.244.188.177
Nov 7, 2024 16:06:18.782851934 CET	80	58144	54.244.188.177	192.168.2.7
Nov 7, 2024 16:06:19.446645021 CET	58145	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:19.452275038 CET	80	58145	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:19.452378035 CET	58145	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:19.452415943 CET	58145	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:19.457740068 CET	80	58145	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:20.110213995 CET	80	58145	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:20.110289097 CET	80	58145	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:20.110357046 CET	58145	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:20.142303944 CET	80	58145	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:20.142375946 CET	58145	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:20.142422915 CET	58145	80	192.168.2.7	199.59.243.227
Nov 7, 2024 16:06:20.147351027 CET	80	58145	199.59.243.227	192.168.2.7
Nov 7, 2024 16:06:20.280092955 CET	58146	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:20.284945965 CET	80	58146	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:20.285036087 CET	58146	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:20.285101891 CET	58146	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:20.289978981 CET	80	58146	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:21.716443062 CET	80	58146	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:21.767646074 CET	58146	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:22.136550903 CET	80	58146	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:22.136662960 CET	58146	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:22.136744022 CET	58146	80	192.168.2.7	18.143.155.63
Nov 7, 2024 16:06:22.141597986 CET	80	58146	18.143.155.63	192.168.2.7
Nov 7, 2024 16:06:23.247762918 CET	58147	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:06:23.252830029 CET	80	58147	85.214.228.140	192.168.2.7
Nov 7, 2024 16:06:23.252940893 CET	58147	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:06:23.253009081 CET	58147	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:06:23.257913113 CET	80	58147	85.214.228.140	192.168.2.7
Nov 7, 2024 16:06:24.144799948 CET	80	58147	85.214.228.140	192.168.2.7
Nov 7, 2024 16:06:24.144948006 CET	58147	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:06:24.150803089 CET	80	58147	85.214.228.140	192.168.2.7
Nov 7, 2024 16:06:24.150877953 CET	58147	80	192.168.2.7	85.214.228.140
Nov 7, 2024 16:06:24.414608955 CET	58148	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:06:24.419425011 CET	80	58148	13.248.169.48	192.168.2.7
Nov 7, 2024 16:06:24.419548988 CET	58148	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:06:24.419708014 CET	58148	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:06:24.424715996 CET	80	58148	13.248.169.48	192.168.2.7
Nov 7, 2024 16:06:25.070838928 CET	80	58148	13.248.169.48	192.168.2.7
Nov 7, 2024 16:06:25.070988894 CET	58148	80	192.168.2.7	13.248.169.48
Nov 7, 2024 16:06:25.076627016 CET	80	58148	13.248.169.48	192.168.2.7
Nov 7, 2024 16:06:25.076692104 CET	58148	80	192.168.2.7	13.248.169.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 16:04:53.338180065 CET	64836	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.347775936 CET	53	64836	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.431658030 CET	57622	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.442743063 CET	53	57622	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.455488920 CET	55383	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.465126991 CET	53	55383	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.484484911 CET	56838	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.495286942 CET	53	56838	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.512731075 CET	55970	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.544032097 CET	53	55970	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.561743021 CET	64313	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.569571972 CET	53	64313	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.582180023 CET	62299	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.613780975 CET	53	62299	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.662542105 CET	63052	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.672549009 CET	53	63052	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.686337948 CET	53350	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.694328070 CET	53	53350	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.695242882 CET	56923	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.705370903 CET	53	56923	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.710184097 CET	57060	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.719063044 CET	53	57060	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.719861031 CET	53965	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.751280069 CET	53	53965	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.753633976 CET	58118	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:53.785763979 CET	53	58118	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:53.787420988 CET	52965	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:54.097103119 CET	53	52965	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:54.651170015 CET	55047	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:54.763448954 CET	57141	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:54.772690058 CET	53	57141	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:54.777815104 CET	53628	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:54.787415981 CET	53	53628	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:54.811119080 CET	59027	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:54.843070984 CET	53	59027	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:54.844233990 CET	51928	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:55.008295059 CET	53	51928	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:55.009560108 CET	50526	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:55.224541903 CET	53	50526	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.109288931 CET	55138	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.119527102 CET	53	55138	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.120357990 CET	53748	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.131095886 CET	53	53748	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.131963968 CET	52689	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.141644955 CET	53	52689	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.142405033 CET	52595	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.153564930 CET	53	52595	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.154519081 CET	57573	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.164263964 CET	53	57573	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.165899038 CET	58762	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.176110983 CET	53	58762	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.177367926 CET	53138	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.186676025 CET	53	53138	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.188241005 CET	63467	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.197581053 CET	53	63467	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.198290110 CET	60328	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.230848074 CET	53	60328	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.231749058 CET	59013	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.241862059 CET	53	59013	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.242712021 CET	50405	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.253117085 CET	53	50405	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.254049063 CET	62264	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.288800001 CET	53	62264	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.289617062 CET	52171	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.321398020 CET	53	52171	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.322403908 CET	52475	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.354087114 CET	53	52475	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.355010986 CET	60139	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.386241913 CET	53	60139	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.387264013 CET	49652	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.397490025 CET	53	49652	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.398180008 CET	64637	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.408019066 CET	53	64637	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.408673048 CET	54099	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.441931009 CET	53	54099	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.442778111 CET	49724	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.456258059 CET	53	49724	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.457134008 CET	61370	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.469532013 CET	53	61370	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.470324993 CET	56900	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.481367111 CET	53	56900	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.482214928 CET	62232	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.493697882 CET	53	62232	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.494571924 CET	52602	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.528162956 CET	53	52602	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.530622005 CET	56185	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.540806055 CET	53	56185	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.541726112 CET	55688	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.574012041 CET	53	55688	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.574944019 CET	61308	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.588335991 CET	53	61308	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.589308023 CET	61472	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.601798058 CET	53	61472	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.602615118 CET	63421	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.615495920 CET	53	63421	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.616301060 CET	52733	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.626497984 CET	53	52733	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.627238035 CET	60045	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.637691975 CET	53	60045	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.638377905 CET	62396	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.648102045 CET	53	62396	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.648880005 CET	53829	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.680032015 CET	53	53829	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.681056023 CET	62685	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.711973906 CET	53	62685	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.712934017 CET	49931	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.723645926 CET	53	49931	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.724490881 CET	51073	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.735065937 CET	53	51073	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.735954046 CET	55542	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.772583008 CET	53	55542	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.773463964 CET	53539	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.782725096 CET	53	53539	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.783576012 CET	50308	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.794508934 CET	53	50308	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.795252085 CET	49601	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.805000067 CET	53	49601	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.805844069 CET	56696	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.816334963 CET	53	56696	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.817037106 CET	61125	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.848032951 CET	53	61125	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.848908901 CET	51691	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.880276918 CET	53	51691	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.881280899 CET	53337	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.913297892 CET	53	53337	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.914066076 CET	55563	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.924864054 CET	53	55563	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.925741911 CET	59388	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.936068058 CET	53	59388	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.936747074 CET	57164	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.945817947 CET	53	57164	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.946566105 CET	53594	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.956614017 CET	53	53594	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.957256079 CET	54208	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.967164993 CET	53	54208	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.967781067 CET	62383	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.978880882 CET	53	62383	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.979677916 CET	54957	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:57.989454031 CET	53	54957	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:57.990117073 CET	53875	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:58.000984907 CET	53	53875	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:58.001585960 CET	51691	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:58.012195110 CET	53	51691	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:58.012940884 CET	63332	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:58.022697926 CET	53	63332	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:58.023471117 CET	49332	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:58.207989931 CET	53	49332	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.174587965 CET	49990	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.188363075 CET	53	49990	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.189136982 CET	54581	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.199888945 CET	53	54581	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.200771093 CET	59235	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.213710070 CET	53	59235	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.214442015 CET	50625	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.226752043 CET	53	50625	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.227502108 CET	51479	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.236771107 CET	53	51479	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.238127947 CET	65178	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.250068903 CET	53	65178	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.250833035 CET	55336	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.262159109 CET	53	55336	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.262835979 CET	52906	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.297399998 CET	53	52906	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.298413038 CET	53070	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.330907106 CET	53	53070	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.335175991 CET	54728	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.346285105 CET	53	54728	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.347074986 CET	65157	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.377984047 CET	53	65157	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.378774881 CET	55463	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.410007954 CET	53	55463	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.410912037 CET	55534	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.420322895 CET	53	55534	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.421039104 CET	55001	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.577178955 CET	53	55001	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.578217030 CET	57921	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.587853909 CET	53	57921	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.590070963 CET	54641	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.601001024 CET	53	54641	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.601766109 CET	56060	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.612354040 CET	53	56060	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.612963915 CET	51077	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.644774914 CET	53	51077	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.645545959 CET	60210	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.656642914 CET	53	60210	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.657206059 CET	54690	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.667671919 CET	53	54690	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.668186903 CET	51300	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.700613976 CET	53	51300	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.701560974 CET	54145	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.712245941 CET	53	54145	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.712958097 CET	56630	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.724016905 CET	53	56630	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.724668980 CET	58433	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.755714893 CET	53	58433	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.756987095 CET	50859	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:04:59.787955046 CET	53	50859	1.1.1.1	192.168.2.7
Nov 7, 2024 16:04:59.788727045 CET	63932	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:00.157084942 CET	53	63932	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:00.837236881 CET	64430	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:00.850101948 CET	53	64430	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:00.860681057 CET	51426	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:00.867376089 CET	53	51426	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.496670008 CET	64420	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.507688999 CET	53	64420	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.508873940 CET	54042	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.525317907 CET	53	54042	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.526537895 CET	51611	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.542020082 CET	53	51611	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.543303967 CET	58941	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.557168961 CET	53	58941	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.558034897 CET	61900	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.590400934 CET	53	61900	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.591540098 CET	51567	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.603935003 CET	53	51567	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.604729891 CET	60781	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.625219107 CET	53	60781	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.626282930 CET	54768	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:01.637314081 CET	53	54768	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:01.638262987 CET	61665	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:02.071599007 CET	53	61665	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:03.943608999 CET	63723	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:03.952143908 CET	53	63723	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:03.953285933 CET	49856	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:03.965478897 CET	53	49856	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:03.966414928 CET	55094	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:03.977418900 CET	53	55094	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:03.978100061 CET	56999	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:03.988667965 CET	53	56999	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:03.989298105 CET	61467	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:03.999515057 CET	53	61467	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.000319958 CET	61434	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.012185097 CET	53	61434	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.013094902 CET	59295	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.023416996 CET	53	59295	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.024194956 CET	52468	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.054416895 CET	53	52468	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.063393116 CET	61556	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.072954893 CET	53	61556	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.074084997 CET	59006	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.085130930 CET	53	59006	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.085887909 CET	64148	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.095150948 CET	53	64148	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.095750093 CET	50076	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.106045961 CET	53	50076	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.106578112 CET	53658	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.137325048 CET	53	53658	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.138430119 CET	55533	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.295079947 CET	53	55533	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.296591997 CET	49207	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.327666044 CET	53	49207	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.328846931 CET	63020	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.338426113 CET	53	63020	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.339399099 CET	50267	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.348624945 CET	53	50267	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.349437952 CET	63312	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.359141111 CET	53	63312	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.359925032 CET	60424	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.394874096 CET	53	60424	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.396054029 CET	59653	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.407636881 CET	53	59653	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.408826113 CET	58525	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.416245937 CET	53	58525	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.417319059 CET	58472	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.427758932 CET	53	58472	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.428560972 CET	60840	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.439228058 CET	53	60840	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.440511942 CET	54551	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.453368902 CET	53	54551	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.454464912 CET	59328	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.488535881 CET	53	59328	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.489828110 CET	60457	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.502510071 CET	53	60457	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.503396988 CET	58757	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.534972906 CET	53	58757	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.535904884 CET	52779	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.545937061 CET	53	52779	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.547101021 CET	50139	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.556900024 CET	53	50139	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.557682037 CET	59286	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.588821888 CET	53	59286	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.589994907 CET	62320	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.600617886 CET	53	62320	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.601399899 CET	49908	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.611424923 CET	53	49908	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.612142086 CET	59479	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.622478962 CET	53	59479	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.623152018 CET	52681	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.632677078 CET	53	52681	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.633512020 CET	55266	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.663984060 CET	53	55266	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.665741920 CET	53600	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.696541071 CET	53	53600	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.697698116 CET	59609	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.707931042 CET	53	59609	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.709342003 CET	59893	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.719094038 CET	53	59893	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.725923061 CET	51991	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.735214949 CET	53	51991	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.736046076 CET	59594	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.746452093 CET	53	59594	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.749372005 CET	55960	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.759437084 CET	53	55960	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.771684885 CET	60397	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.779006958 CET	53	60397	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.779736996 CET	59794	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.789272070 CET	53	59794	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.789875984 CET	49539	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.799742937 CET	53	49539	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.800899982 CET	55945	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.810883999 CET	53	55945	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:04.811793089 CET	62092	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:04.898118019 CET	53	62092	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.783993959 CET	53999	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.795481920 CET	53	53999	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.796269894 CET	54388	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.806155920 CET	53	54388	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.807038069 CET	61146	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.816298008 CET	53	61146	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.817270041 CET	60999	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.829643011 CET	53	60999	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.830538034 CET	58575	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.845227003 CET	53	58575	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.846167088 CET	51516	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.857165098 CET	53	51516	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.857894897 CET	55577	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.868282080 CET	53	55577	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.868958950 CET	56880	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.900918961 CET	53	56880	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.901583910 CET	58365	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.913753033 CET	53	58365	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.914402962 CET	61404	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.946469069 CET	53	61404	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.947405100 CET	53219	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:05.978557110 CET	53	53219	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:05.979351997 CET	55130	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:06.011785984 CET	53	55130	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:06.012622118 CET	51647	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:06.043571949 CET	53	51647	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:06.044363022 CET	52581	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:06.102107048 CET	53	52581	1.1.1.1	192.168.2.7
Nov 7, 2024 16:05:19.471246958 CET	60340	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:05:19.878576040 CET	53	60340	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:13.228653908 CET	55612	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:13.241674900 CET	53	55612	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:13.890738010 CET	49517	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:13.900947094 CET	53	49517	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:13.901784897 CET	64384	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:13.912138939 CET	53	64384	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:13.912729979 CET	50401	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:13.923098087 CET	53	50401	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:13.923698902 CET	60869	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:13.933649063 CET	53	60869	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:15.837690115 CET	61571	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:15.870649099 CET	53	61571	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:15.871766090 CET	65051	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:15.907392025 CET	53	65051	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:15.908292055 CET	61654	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:15.918662071 CET	53	61654	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:15.919238091 CET	61938	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:15.949609041 CET	53	61938	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:15.950423956 CET	64803	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:15.980979919 CET	53	64803	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:15.981719971 CET	62186	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.135237932 CET	53	62186	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.136574030 CET	57535	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.168159008 CET	53	57535	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.169140100 CET	63890	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.178093910 CET	53	63890	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.178730965 CET	61443	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.209016085 CET	53	61443	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.209842920 CET	61548	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.220129967 CET	53	61548	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.220808029 CET	62494	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.230613947 CET	53	62494	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.231169939 CET	62703	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.241934061 CET	53	62703	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.242518902 CET	56530	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.273034096 CET	53	56530	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.273839951 CET	62059	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.283898115 CET	53	62059	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.284801006 CET	58071	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.317037106 CET	53	58071	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.317785025 CET	50150	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.328620911 CET	53	50150	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.329255104 CET	61681	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.339920044 CET	53	61681	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.340610027 CET	65017	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.373490095 CET	53	65017	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.374212980 CET	52798	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.384622097 CET	53	52798	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.385312080 CET	55481	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.416042089 CET	53	55481	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.417017937 CET	60283	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.427623034 CET	53	60283	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.428956985 CET	60522	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.440568924 CET	53	60522	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.441554070 CET	65145	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.452315092 CET	53	65145	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.453382015 CET	64757	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.461631060 CET	53	64757	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.462553978 CET	56096	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.494417906 CET	53	56096	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.495667934 CET	54795	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.505398989 CET	53	54795	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.506218910 CET	61036	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.517252922 CET	53	61036	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.518281937 CET	59835	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.529340029 CET	53	59835	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.530108929 CET	51041	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.692389965 CET	53	51041	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.693650007 CET	52774	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.704786062 CET	53	52774	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.705477953 CET	50345	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.735780954 CET	53	50345	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.737010956 CET	54642	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.747987032 CET	53	54642	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.748720884 CET	53235	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.781043053 CET	53	53235	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.782176018 CET	59126	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.792679071 CET	53	59126	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.795878887 CET	61059	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.827554941 CET	53	61059	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.828744888 CET	58236	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.840500116 CET	53	58236	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.841034889 CET	59839	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.850759029 CET	53	59839	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.851843119 CET	65390	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.858927965 CET	53	65390	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.859572887 CET	55457	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.890587091 CET	53	55457	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.891239882 CET	54843	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.901130915 CET	53	54843	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.919833899 CET	51849	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.930253029 CET	53	51849	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.934252024 CET	59908	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.944922924 CET	53	59908	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.951008081 CET	56852	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.982917070 CET	53	56852	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:16.984493971 CET	52299	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:16.994539022 CET	53	52299	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.078607082 CET	51218	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.088989973 CET	53	51218	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.095710993 CET	63527	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.105096102 CET	53	63527	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.115420103 CET	60304	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.127393961 CET	53	60304	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.139420033 CET	50178	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.150991917 CET	53	50178	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.159482002 CET	49265	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.170691967 CET	53	49265	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.179341078 CET	55076	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.211982012 CET	53	55076	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.335670948 CET	58332	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.508321047 CET	53	58332	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.509546041 CET	55815	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.803721905 CET	53	55815	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:17.804976940 CET	54534	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:17.815033913 CET	53	54534	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.778865099 CET	58094	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.810669899 CET	53	58094	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.811981916 CET	53263	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.822026968 CET	53	53263	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.822931051 CET	59527	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.831190109 CET	53	59527	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.831818104 CET	54725	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.863784075 CET	53	54725	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.864805937 CET	60448	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.875801086 CET	53	60448	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.876385927 CET	61860	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.908488989 CET	53	61860	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.909574032 CET	51568	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.920857906 CET	53	51568	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.921461105 CET	63400	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.930834055 CET	53	63400	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.931700945 CET	64007	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.940620899 CET	53	64007	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.943310022 CET	51917	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.975406885 CET	53	51917	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.976548910 CET	57902	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.987499952 CET	53	57902	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.988806009 CET	55030	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:18.998583078 CET	53	55030	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:18.999824047 CET	58991	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.010644913 CET	53	58991	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.011821032 CET	62522	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.023623943 CET	53	62522	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.024602890 CET	61752	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.034188032 CET	53	61752	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.035212994 CET	56298	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.044912100 CET	53	56298	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.045748949 CET	60070	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.080305099 CET	53	60070	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.081449032 CET	52282	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.092499018 CET	53	52282	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.093252897 CET	58828	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.377610922 CET	53	58828	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.378760099 CET	49746	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.389084101 CET	53	49746	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.389883041 CET	64373	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.400989056 CET	53	64373	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.401849031 CET	60403	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.413288116 CET	53	60403	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.413997889 CET	54960	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.423425913 CET	53	54960	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.424200058 CET	53258	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.435513020 CET	53	53258	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:19.436206102 CET	50295	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:19.445924997 CET	53	50295	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.143295050 CET	55500	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.153610945 CET	53	55500	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.154597998 CET	54983	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.165843010 CET	53	54983	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.166747093 CET	63698	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.177536964 CET	53	63698	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.178278923 CET	56804	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.210980892 CET	53	56804	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.212093115 CET	64111	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.221388102 CET	53	64111	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.222141027 CET	54191	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.231720924 CET	53	54191	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.232314110 CET	59033	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.242531061 CET	53	59033	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.243350029 CET	59434	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.257350922 CET	53	59434	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.258239985 CET	60606	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.268990993 CET	53	60606	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:20.269732952 CET	55208	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:20.279407978 CET	53	55208	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.137578011 CET	62641	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.168255091 CET	53	62641	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.169378042 CET	57948	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.178970098 CET	53	57948	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.179856062 CET	57487	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.190231085 CET	53	57487	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.191088915 CET	60895	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.222270012 CET	53	60895	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.223222971 CET	58522	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.254055023 CET	53	58522	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.254877090 CET	63556	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.266948938 CET	53	63556	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.268040895 CET	53760	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.280015945 CET	53	53760	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.281100988 CET	59962	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.293625116 CET	53	59962	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.294612885 CET	62455	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.626678944 CET	53	62455	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.627989054 CET	56955	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.646739006 CET	53	56955	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.647664070 CET	62900	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.659812927 CET	53	62900	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.660629988 CET	53396	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.670561075 CET	53	53396	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.671309948 CET	49769	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.678847075 CET	53	49769	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.679553032 CET	64766	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.710272074 CET	53	64766	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.711180925 CET	50054	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.721167088 CET	53	50054	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.722016096 CET	64184	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.731053114 CET	53	64184	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.731651068 CET	53479	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.763225079 CET	53	53479	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.764384031 CET	62193	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.776185989 CET	53	62193	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.777165890 CET	63025	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.809418917 CET	53	63025	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.810587883 CET	65312	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.820486069 CET	53	65312	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.821203947 CET	60565	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.830835104 CET	53	60565	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.831527948 CET	49724	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.862989902 CET	53	49724	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.863894939 CET	58573	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.874079943 CET	53	58573	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.875005007 CET	56180	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.885051966 CET	53	56180	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.886010885 CET	61453	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.918699980 CET	53	61453	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.919850111 CET	56670	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.930339098 CET	53	56670	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.931025982 CET	54375	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.941837072 CET	53	54375	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.942696095 CET	55823	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.953903913 CET	53	55823	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.955173016 CET	61843	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.967137098 CET	53	61843	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.968086004 CET	54551	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.979480028 CET	53	54551	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.980334997 CET	51891	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:22.991755009 CET	53	51891	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:22.992647886 CET	50115	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.003772974 CET	53	50115	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.004740000 CET	54290	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.015326023 CET	53	54290	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.016379118 CET	62738	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.026288986 CET	53	62738	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.026945114 CET	51587	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.058242083 CET	53	51587	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.059385061 CET	59358	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.071223974 CET	53	59358	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.072128057 CET	53254	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.084067106 CET	53	53254	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.089428902 CET	50172	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.099183083 CET	53	50172	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.100639105 CET	60976	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.110130072 CET	53	60976	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.111120939 CET	50816	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.144303083 CET	53	50816	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.145504951 CET	59413	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.178760052 CET	53	59413	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.179832935 CET	65156	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.190239906 CET	53	65156	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.191200018 CET	56665	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.202291012 CET	53	56665	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.203571081 CET	59499	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.213856936 CET	53	59499	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:23.214863062 CET	53007	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:23.246272087 CET	53	53007	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.145634890 CET	56599	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.156712055 CET	53	56599	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.157644033 CET	54748	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.167757988 CET	53	54748	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.168418884 CET	59266	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.178181887 CET	53	59266	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.178752899 CET	49574	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.188976049 CET	53	49574	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.189691067 CET	59305	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.200680971 CET	53	59305	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.201395988 CET	53039	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.232965946 CET	53	53039	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.233980894 CET	51825	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.265383005 CET	53	51825	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.266592979 CET	60014	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.298288107 CET	53	60014	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.299397945 CET	51989	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.329695940 CET	53	51989	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.330964088 CET	50093	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.341428995 CET	53	50093	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.342278957 CET	58491	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.373423100 CET	53	58491	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.374471903 CET	57903	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.381778955 CET	53	57903	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:24.382653952 CET	55546	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:24.413360119 CET	53	55546	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.071810007 CET	58640	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.083077908 CET	53	58640	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.084183931 CET	52653	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.094639063 CET	53	52653	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.097138882 CET	55412	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.128739119 CET	53	55412	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.129976034 CET	57249	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.140746117 CET	53	57249	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.141922951 CET	53604	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.152528048 CET	53	53604	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.153949976 CET	57793	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.185609102 CET	53	57793	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.186777115 CET	53105	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.196960926 CET	53	53105	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.198209047 CET	65469	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.207999945 CET	53	65469	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.208930016 CET	55017	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.219086885 CET	53	55017	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.219918013 CET	61913	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.230993986 CET	53	61913	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.232105970 CET	50659	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.265225887 CET	53	50659	1.1.1.1	192.168.2.7
Nov 7, 2024 16:06:25.266164064 CET	58009	53	192.168.2.7	1.1.1.1
Nov 7, 2024 16:06:25.276272058 CET	53	58009	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 16:04:53.338180065 CET	192.168.2.7	1.1.1.1	0x4749	Standard query (0)	heavennothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.431658030 CET	192.168.2.7	1.1.1.1	0x3867	Standard query (0)	leaderbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.455488920 CET	192.168.2.7	1.1.1.1	0x6a44	Standard query (0)	heavenbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.484484911 CET	192.168.2.7	1.1.1.1	0x63c6	Standard query (0)	leaderdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.512731075 CET	192.168.2.7	1.1.1.1	0x81f8	Standard query (0)	heavendivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.561743021 CET	192.168.2.7	1.1.1.1	0xdfb9	Standard query (0)	heavystream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.582180023 CET	192.168.2.7	1.1.1.1	0x3eda	Standard query (0)	gentlestream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.662542105 CET	192.168.2.7	1.1.1.1	0xf7cd	Standard query (0)	heavynothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.686337948 CET	192.168.2.7	1.1.1.1	0x4986	Standard query (0)	gentlenothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.695242882 CET	192.168.2.7	1.1.1.1	0x7450	Standard query (0)	heavybottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.710184097 CET	192.168.2.7	1.1.1.1	0x571b	Standard query (0)	gentlebottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.719861031 CET	192.168.2.7	1.1.1.1	0xe3e6	Standard query (0)	heavydivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.753633976 CET	192.168.2.7	1.1.1.1	0x7823	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.787420988 CET	192.168.2.7	1.1.1.1	0xa8df	Standard query (0)	variousstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.651170015 CET	192.168.2.7	1.1.1.1	0x94f1	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.763448954 CET	192.168.2.7	1.1.1.1	0x72a6	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.777815104 CET	192.168.2.7	1.1.1.1	0xc136	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.811119080 CET	192.168.2.7	1.1.1.1	0xf532	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.844233990 CET	192.168.2.7	1.1.1.1	0x3a00	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.009560108 CET	192.168.2.7	1.1.1.1	0xf1c2	Standard query (0)	returnbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.109288931 CET	192.168.2.7	1.1.1.1	0xdf57	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.120357990 CET	192.168.2.7	1.1.1.1	0x40df	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.131963968 CET	192.168.2.7	1.1.1.1	0x46b3	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.142405033 CET	192.168.2.7	1.1.1.1	0xd6a6	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.154519081 CET	192.168.2.7	1.1.1.1	0x4720	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.165899038 CET	192.168.2.7	1.1.1.1	0xdbe9	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.177367926 CET	192.168.2.7	1.1.1.1	0xa632	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.188241005 CET	192.168.2.7	1.1.1.1	0x1ae	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.198290110 CET	192.168.2.7	1.1.1.1	0x2eb6	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.231749058 CET	192.168.2.7	1.1.1.1	0xa211	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.242712021 CET	192.168.2.7	1.1.1.1	0xff8d	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.254049063 CET	192.168.2.7	1.1.1.1	0xa525	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.289617062 CET	192.168.2.7	1.1.1.1	0xd9cc	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.322403908 CET	192.168.2.7	1.1.1.1	0xdec7	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.355010986 CET	192.168.2.7	1.1.1.1	0x80f0	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.387264013 CET	192.168.2.7	1.1.1.1	0xf930	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.398180008 CET	192.168.2.7	1.1.1.1	0x8a45	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.408673048 CET	192.168.2.7	1.1.1.1	0x29df	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.442778111 CET	192.168.2.7	1.1.1.1	0x2c15	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.457134008 CET	192.168.2.7	1.1.1.1	0xf275	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.470324993 CET	192.168.2.7	1.1.1.1	0x2c29	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.482214928 CET	192.168.2.7	1.1.1.1	0x2dd0	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.494571924 CET	192.168.2.7	1.1.1.1	0xd97	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.530622005 CET	192.168.2.7	1.1.1.1	0xc136	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.541726112 CET	192.168.2.7	1.1.1.1	0x608f	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.574944019 CET	192.168.2.7	1.1.1.1	0xa8cb	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.589308023 CET	192.168.2.7	1.1.1.1	0x1db8	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.602615118 CET	192.168.2.7	1.1.1.1	0xe634	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.616301060 CET	192.168.2.7	1.1.1.1	0xa98c	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.627238035 CET	192.168.2.7	1.1.1.1	0x21aa	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.638377905 CET	192.168.2.7	1.1.1.1	0x8840	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.648880005 CET	192.168.2.7	1.1.1.1	0x279e	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.681056023 CET	192.168.2.7	1.1.1.1	0x9aeb	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.712934017 CET	192.168.2.7	1.1.1.1	0xa1c1	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.724490881 CET	192.168.2.7	1.1.1.1	0xa947	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.735954046 CET	192.168.2.7	1.1.1.1	0x87ab	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.773463964 CET	192.168.2.7	1.1.1.1	0x1413	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.783576012 CET	192.168.2.7	1.1.1.1	0xf0c6	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.795252085 CET	192.168.2.7	1.1.1.1	0x4f45	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.805844069 CET	192.168.2.7	1.1.1.1	0xd26e	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.817037106 CET	192.168.2.7	1.1.1.1	0xc247	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.848908901 CET	192.168.2.7	1.1.1.1	0x315	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.881280899 CET	192.168.2.7	1.1.1.1	0x6675	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.914066076 CET	192.168.2.7	1.1.1.1	0xe236	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.925741911 CET	192.168.2.7	1.1.1.1	0x647	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.936747074 CET	192.168.2.7	1.1.1.1	0xf07	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.946566105 CET	192.168.2.7	1.1.1.1	0x5d2d	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.957256079 CET	192.168.2.7	1.1.1.1	0x1eee	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.967781067 CET	192.168.2.7	1.1.1.1	0x99cc	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.979677916 CET	192.168.2.7	1.1.1.1	0xf288	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.990117073 CET	192.168.2.7	1.1.1.1	0x95dc	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.001585960 CET	192.168.2.7	1.1.1.1	0x7f8c	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.012940884 CET	192.168.2.7	1.1.1.1	0x8530	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.023471117 CET	192.168.2.7	1.1.1.1	0x4ce2	Standard query (0)	gentleanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.174587965 CET	192.168.2.7	1.1.1.1	0x5baf	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.189136982 CET	192.168.2.7	1.1.1.1	0xbfe	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.200771093 CET	192.168.2.7	1.1.1.1	0xd13e	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.214442015 CET	192.168.2.7	1.1.1.1	0xbde4	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.227502108 CET	192.168.2.7	1.1.1.1	0x2308	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.238127947 CET	192.168.2.7	1.1.1.1	0x774c	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.250833035 CET	192.168.2.7	1.1.1.1	0xa0a4	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.262835979 CET	192.168.2.7	1.1.1.1	0x69a8	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.298413038 CET	192.168.2.7	1.1.1.1	0x898f	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.335175991 CET	192.168.2.7	1.1.1.1	0xc11b	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.347074986 CET	192.168.2.7	1.1.1.1	0xe88b	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.378774881 CET	192.168.2.7	1.1.1.1	0xaad9	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.410912037 CET	192.168.2.7	1.1.1.1	0x227	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.421039104 CET	192.168.2.7	1.1.1.1	0x1d3a	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.578217030 CET	192.168.2.7	1.1.1.1	0x80d8	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.590070963 CET	192.168.2.7	1.1.1.1	0x126a	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.601766109 CET	192.168.2.7	1.1.1.1	0xa657	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.612963915 CET	192.168.2.7	1.1.1.1	0x49ba	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.645545959 CET	192.168.2.7	1.1.1.1	0x5cee	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.657206059 CET	192.168.2.7	1.1.1.1	0xef59	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.668186903 CET	192.168.2.7	1.1.1.1	0x58e4	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.701560974 CET	192.168.2.7	1.1.1.1	0xce57	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.712958097 CET	192.168.2.7	1.1.1.1	0x7a20	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.724668980 CET	192.168.2.7	1.1.1.1	0xed1c	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.756987095 CET	192.168.2.7	1.1.1.1	0xbfa	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.788727045 CET	192.168.2.7	1.1.1.1	0x53d5	Standard query (0)	glassbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.837236881 CET	192.168.2.7	1.1.1.1	0xf65b	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.860681057 CET	192.168.2.7	1.1.1.1	0xafc5	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.496670008 CET	192.168.2.7	1.1.1.1	0x3183	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.508873940 CET	192.168.2.7	1.1.1.1	0xa955	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.526537895 CET	192.168.2.7	1.1.1.1	0x34d0	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.543303967 CET	192.168.2.7	1.1.1.1	0xe440	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.558034897 CET	192.168.2.7	1.1.1.1	0x3786	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.591540098 CET	192.168.2.7	1.1.1.1	0xb89	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.604729891 CET	192.168.2.7	1.1.1.1	0xe8e2	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.626282930 CET	192.168.2.7	1.1.1.1	0x2cf2	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.638262987 CET	192.168.2.7	1.1.1.1	0x1f9	Standard query (0)	pleasantinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.943608999 CET	192.168.2.7	1.1.1.1	0xf675	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.953285933 CET	192.168.2.7	1.1.1.1	0xae27	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.966414928 CET	192.168.2.7	1.1.1.1	0x5326	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.978100061 CET	192.168.2.7	1.1.1.1	0xd630	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.989298105 CET	192.168.2.7	1.1.1.1	0xd3d5	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.000319958 CET	192.168.2.7	1.1.1.1	0x829a	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.013094902 CET	192.168.2.7	1.1.1.1	0xe5f3	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.024194956 CET	192.168.2.7	1.1.1.1	0x14fe	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.063393116 CET	192.168.2.7	1.1.1.1	0x1ecf	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.074084997 CET	192.168.2.7	1.1.1.1	0x8829	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.085887909 CET	192.168.2.7	1.1.1.1	0xcc2e	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.095750093 CET	192.168.2.7	1.1.1.1	0xda2e	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.106578112 CET	192.168.2.7	1.1.1.1	0x981a	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.138430119 CET	192.168.2.7	1.1.1.1	0x3602	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.296591997 CET	192.168.2.7	1.1.1.1	0x8641	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.328846931 CET	192.168.2.7	1.1.1.1	0x8b7c	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.339399099 CET	192.168.2.7	1.1.1.1	0x916a	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.349437952 CET	192.168.2.7	1.1.1.1	0xafd0	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.359925032 CET	192.168.2.7	1.1.1.1	0x1689	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.396054029 CET	192.168.2.7	1.1.1.1	0x5336	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.408826113 CET	192.168.2.7	1.1.1.1	0xee4	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.417319059 CET	192.168.2.7	1.1.1.1	0x31a5	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.428560972 CET	192.168.2.7	1.1.1.1	0xa17d	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.440511942 CET	192.168.2.7	1.1.1.1	0x51ad	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.454464912 CET	192.168.2.7	1.1.1.1	0x458e	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.489828110 CET	192.168.2.7	1.1.1.1	0xe3cf	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.503396988 CET	192.168.2.7	1.1.1.1	0xae12	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.535904884 CET	192.168.2.7	1.1.1.1	0xf732	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.547101021 CET	192.168.2.7	1.1.1.1	0x275c	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.557682037 CET	192.168.2.7	1.1.1.1	0x40f9	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.589994907 CET	192.168.2.7	1.1.1.1	0x4cf9	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.601399899 CET	192.168.2.7	1.1.1.1	0x11c7	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.612142086 CET	192.168.2.7	1.1.1.1	0x2541	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.623152018 CET	192.168.2.7	1.1.1.1	0xafc4	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.633512020 CET	192.168.2.7	1.1.1.1	0x392f	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.665741920 CET	192.168.2.7	1.1.1.1	0x4ff9	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.697698116 CET	192.168.2.7	1.1.1.1	0xc3ff	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.709342003 CET	192.168.2.7	1.1.1.1	0x7b26	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.725923061 CET	192.168.2.7	1.1.1.1	0x2ca6	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.736046076 CET	192.168.2.7	1.1.1.1	0x24e9	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.749372005 CET	192.168.2.7	1.1.1.1	0xf54c	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.771684885 CET	192.168.2.7	1.1.1.1	0x1ff7	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.779736996 CET	192.168.2.7	1.1.1.1	0xfe59	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.789875984 CET	192.168.2.7	1.1.1.1	0xe0e	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.800899982 CET	192.168.2.7	1.1.1.1	0xe653	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.811793089 CET	192.168.2.7	1.1.1.1	0xe809	Standard query (0)	degreedaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.783993959 CET	192.168.2.7	1.1.1.1	0x71c3	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.796269894 CET	192.168.2.7	1.1.1.1	0xeab6	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.807038069 CET	192.168.2.7	1.1.1.1	0x83a3	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.817270041 CET	192.168.2.7	1.1.1.1	0xc61	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.830538034 CET	192.168.2.7	1.1.1.1	0x19ed	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.846167088 CET	192.168.2.7	1.1.1.1	0x6886	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.857894897 CET	192.168.2.7	1.1.1.1	0x1fa5	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.868958950 CET	192.168.2.7	1.1.1.1	0xc21e	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.901583910 CET	192.168.2.7	1.1.1.1	0xe310	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.914402962 CET	192.168.2.7	1.1.1.1	0x6055	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.947405100 CET	192.168.2.7	1.1.1.1	0x37c2	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.979351997 CET	192.168.2.7	1.1.1.1	0xc6a1	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.012622118 CET	192.168.2.7	1.1.1.1	0x4a0b	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.044363022 CET	192.168.2.7	1.1.1.1	0x655c	Standard query (0)	difficultpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:19.471246958 CET	192.168.2.7	1.1.1.1	0x8830	Standard query (0)	difficultpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.228653908 CET	192.168.2.7	1.1.1.1	0x429f	Standard query (0)	gentledivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.890738010 CET	192.168.2.7	1.1.1.1	0x820f	Standard query (0)	returnstream.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.901784897 CET	192.168.2.7	1.1.1.1	0xe6de	Standard query (0)	variousnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.912729979 CET	192.168.2.7	1.1.1.1	0x3f34	Standard query (0)	returnnothing.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.923698902 CET	192.168.2.7	1.1.1.1	0x987c	Standard query (0)	variousbottle.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.837690115 CET	192.168.2.7	1.1.1.1	0x1582	Standard query (0)	variousdivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.871766090 CET	192.168.2.7	1.1.1.1	0xd86e	Standard query (0)	returndivide.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.908292055 CET	192.168.2.7	1.1.1.1	0xcc63	Standard query (0)	degreemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.919238091 CET	192.168.2.7	1.1.1.1	0xc54f	Standard query (0)	forwardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.950423956 CET	192.168.2.7	1.1.1.1	0xc40c	Standard query (0)	degreeanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.981719971 CET	192.168.2.7	1.1.1.1	0xc555	Standard query (0)	forwardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.136574030 CET	192.168.2.7	1.1.1.1	0x6d9e	Standard query (0)	degreebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.169140100 CET	192.168.2.7	1.1.1.1	0x7b24	Standard query (0)	forwardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.178730965 CET	192.168.2.7	1.1.1.1	0x6b4d	Standard query (0)	degreeappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.209842920 CET	192.168.2.7	1.1.1.1	0x3326	Standard query (0)	forwardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.220808029 CET	192.168.2.7	1.1.1.1	0xaa1f	Standard query (0)	answermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.231169939 CET	192.168.2.7	1.1.1.1	0xadcb	Standard query (0)	glassmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.242518902 CET	192.168.2.7	1.1.1.1	0xdf08	Standard query (0)	answeranother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.273839951 CET	192.168.2.7	1.1.1.1	0x3867	Standard query (0)	glassanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.284801006 CET	192.168.2.7	1.1.1.1	0x33c8	Standard query (0)	answerbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.317785025 CET	192.168.2.7	1.1.1.1	0x61d2	Standard query (0)	glassbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.329255104 CET	192.168.2.7	1.1.1.1	0x82bd	Standard query (0)	answerappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.340610027 CET	192.168.2.7	1.1.1.1	0x48e7	Standard query (0)	glassappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.374212980 CET	192.168.2.7	1.1.1.1	0xd8f7	Standard query (0)	difficultmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.385312080 CET	192.168.2.7	1.1.1.1	0xa762	Standard query (0)	heardmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.417017937 CET	192.168.2.7	1.1.1.1	0x93eb	Standard query (0)	difficultanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.428956985 CET	192.168.2.7	1.1.1.1	0x5476	Standard query (0)	heardanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.441554070 CET	192.168.2.7	1.1.1.1	0xafeb	Standard query (0)	difficultbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.453382015 CET	192.168.2.7	1.1.1.1	0x32a1	Standard query (0)	heardbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.462553978 CET	192.168.2.7	1.1.1.1	0xb31e	Standard query (0)	difficultappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.495667934 CET	192.168.2.7	1.1.1.1	0xba1a	Standard query (0)	heardappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.506218910 CET	192.168.2.7	1.1.1.1	0xd2f	Standard query (0)	pleasantmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.518281937 CET	192.168.2.7	1.1.1.1	0xe178	Standard query (0)	necessarymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.530108929 CET	192.168.2.7	1.1.1.1	0x4a96	Standard query (0)	pleasantanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.693650007 CET	192.168.2.7	1.1.1.1	0x7d76	Standard query (0)	necessaryanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.705477953 CET	192.168.2.7	1.1.1.1	0xa76a	Standard query (0)	pleasantbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.737010956 CET	192.168.2.7	1.1.1.1	0xdb39	Standard query (0)	necessarybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.748720884 CET	192.168.2.7	1.1.1.1	0x6302	Standard query (0)	pleasantappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.782176018 CET	192.168.2.7	1.1.1.1	0x8b4e	Standard query (0)	necessaryappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.795878887 CET	192.168.2.7	1.1.1.1	0x8628	Standard query (0)	ordermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.828744888 CET	192.168.2.7	1.1.1.1	0x245f	Standard query (0)	requiremanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.841034889 CET	192.168.2.7	1.1.1.1	0x6ab6	Standard query (0)	orderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.851843119 CET	192.168.2.7	1.1.1.1	0x1a40	Standard query (0)	requireanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.859572887 CET	192.168.2.7	1.1.1.1	0xcb25	Standard query (0)	orderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.891239882 CET	192.168.2.7	1.1.1.1	0xf0dd	Standard query (0)	requirebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.919833899 CET	192.168.2.7	1.1.1.1	0x66dc	Standard query (0)	orderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.934252024 CET	192.168.2.7	1.1.1.1	0x2a2d	Standard query (0)	requireappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.951008081 CET	192.168.2.7	1.1.1.1	0xcbfd	Standard query (0)	leadermanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.984493971 CET	192.168.2.7	1.1.1.1	0x8270	Standard query (0)	heavenmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.078607082 CET	192.168.2.7	1.1.1.1	0x8437	Standard query (0)	leaderanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.095710993 CET	192.168.2.7	1.1.1.1	0x9b1b	Standard query (0)	heavenanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.115420103 CET	192.168.2.7	1.1.1.1	0x5e58	Standard query (0)	leaderbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.139420033 CET	192.168.2.7	1.1.1.1	0x65f1	Standard query (0)	heavenbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.159482002 CET	192.168.2.7	1.1.1.1	0x862f	Standard query (0)	leaderappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.179341078 CET	192.168.2.7	1.1.1.1	0x2fbc	Standard query (0)	heavenappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.335670948 CET	192.168.2.7	1.1.1.1	0x2968	Standard query (0)	heavymanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.509546041 CET	192.168.2.7	1.1.1.1	0x7e0d	Standard query (0)	gentlemanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.804976940 CET	192.168.2.7	1.1.1.1	0x4cc6	Standard query (0)	heavyanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.778865099 CET	192.168.2.7	1.1.1.1	0xe029	Standard query (0)	heavybusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.811981916 CET	192.168.2.7	1.1.1.1	0x64ac	Standard query (0)	gentlebusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.822931051 CET	192.168.2.7	1.1.1.1	0x2d26	Standard query (0)	heavyappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.831818104 CET	192.168.2.7	1.1.1.1	0xe0f7	Standard query (0)	gentleappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.864805937 CET	192.168.2.7	1.1.1.1	0xa22b	Standard query (0)	variousmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.876385927 CET	192.168.2.7	1.1.1.1	0x2b7b	Standard query (0)	returnmanner.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.909574032 CET	192.168.2.7	1.1.1.1	0x7d57	Standard query (0)	variousanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.921461105 CET	192.168.2.7	1.1.1.1	0x3549	Standard query (0)	returnanother.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.931700945 CET	192.168.2.7	1.1.1.1	0x7440	Standard query (0)	variousbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.943310022 CET	192.168.2.7	1.1.1.1	0x7b7c	Standard query (0)	returnbusiness.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.976548910 CET	192.168.2.7	1.1.1.1	0xe98f	Standard query (0)	variousappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.988806009 CET	192.168.2.7	1.1.1.1	0xb51d	Standard query (0)	returnappear.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.999824047 CET	192.168.2.7	1.1.1.1	0x3c4b	Standard query (0)	degreeinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.011821032 CET	192.168.2.7	1.1.1.1	0x3469	Standard query (0)	forwardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.024602890 CET	192.168.2.7	1.1.1.1	0x5ff	Standard query (0)	degreeexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.035212994 CET	192.168.2.7	1.1.1.1	0x442f	Standard query (0)	forwardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.045748949 CET	192.168.2.7	1.1.1.1	0x6b7f	Standard query (0)	degreebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.081449032 CET	192.168.2.7	1.1.1.1	0x947c	Standard query (0)	forwardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.093252897 CET	192.168.2.7	1.1.1.1	0x8394	Standard query (0)	degreeinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.378760099 CET	192.168.2.7	1.1.1.1	0xfe31	Standard query (0)	forwardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.389883041 CET	192.168.2.7	1.1.1.1	0xa0bc	Standard query (0)	answerinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.401849031 CET	192.168.2.7	1.1.1.1	0x108c	Standard query (0)	glassinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.413997889 CET	192.168.2.7	1.1.1.1	0x9101	Standard query (0)	answerexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.424200058 CET	192.168.2.7	1.1.1.1	0x9a46	Standard query (0)	glassexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.436206102 CET	192.168.2.7	1.1.1.1	0x24d6	Standard query (0)	answerbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.143295050 CET	192.168.2.7	1.1.1.1	0x22fb	Standard query (0)	answerinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.154597998 CET	192.168.2.7	1.1.1.1	0x7545	Standard query (0)	glassinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.166747093 CET	192.168.2.7	1.1.1.1	0x7bfe	Standard query (0)	difficultinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.178278923 CET	192.168.2.7	1.1.1.1	0xfa37	Standard query (0)	heardinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.212093115 CET	192.168.2.7	1.1.1.1	0x1d71	Standard query (0)	difficultexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.222141027 CET	192.168.2.7	1.1.1.1	0xb5ec	Standard query (0)	heardexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.232314110 CET	192.168.2.7	1.1.1.1	0xef10	Standard query (0)	difficultbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.243350029 CET	192.168.2.7	1.1.1.1	0x48ba	Standard query (0)	heardbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.258239985 CET	192.168.2.7	1.1.1.1	0x8a0e	Standard query (0)	difficultinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.269732952 CET	192.168.2.7	1.1.1.1	0xaa70	Standard query (0)	heardinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.137578011 CET	192.168.2.7	1.1.1.1	0x631d	Standard query (0)	necessaryinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.169378042 CET	192.168.2.7	1.1.1.1	0x72e5	Standard query (0)	pleasantexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.179856062 CET	192.168.2.7	1.1.1.1	0x19a6	Standard query (0)	necessaryexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.191088915 CET	192.168.2.7	1.1.1.1	0x59a3	Standard query (0)	pleasantbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.223222971 CET	192.168.2.7	1.1.1.1	0xac4a	Standard query (0)	necessarybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.254877090 CET	192.168.2.7	1.1.1.1	0x12be	Standard query (0)	pleasantinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.268040895 CET	192.168.2.7	1.1.1.1	0x3b6c	Standard query (0)	necessaryinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.281100988 CET	192.168.2.7	1.1.1.1	0x284	Standard query (0)	orderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.294612885 CET	192.168.2.7	1.1.1.1	0xc701	Standard query (0)	requireinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.627989054 CET	192.168.2.7	1.1.1.1	0xd76e	Standard query (0)	orderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.647664070 CET	192.168.2.7	1.1.1.1	0x6673	Standard query (0)	requireexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.660629988 CET	192.168.2.7	1.1.1.1	0x94c1	Standard query (0)	orderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.671309948 CET	192.168.2.7	1.1.1.1	0x9695	Standard query (0)	requirebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.679553032 CET	192.168.2.7	1.1.1.1	0x8ac4	Standard query (0)	orderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.711180925 CET	192.168.2.7	1.1.1.1	0xdce9	Standard query (0)	requireinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.722016096 CET	192.168.2.7	1.1.1.1	0x46e4	Standard query (0)	leaderinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.731651068 CET	192.168.2.7	1.1.1.1	0x7e7a	Standard query (0)	heaveninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.764384031 CET	192.168.2.7	1.1.1.1	0x416	Standard query (0)	leaderexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.777165890 CET	192.168.2.7	1.1.1.1	0xf3d8	Standard query (0)	heavenexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.810587883 CET	192.168.2.7	1.1.1.1	0x8861	Standard query (0)	leaderbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.821203947 CET	192.168.2.7	1.1.1.1	0x8e1	Standard query (0)	heavenbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.831527948 CET	192.168.2.7	1.1.1.1	0x93a9	Standard query (0)	leaderinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.863894939 CET	192.168.2.7	1.1.1.1	0x46fa	Standard query (0)	heaveninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.875005007 CET	192.168.2.7	1.1.1.1	0x28d3	Standard query (0)	heavyinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.886010885 CET	192.168.2.7	1.1.1.1	0x4c4e	Standard query (0)	gentleinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.919850111 CET	192.168.2.7	1.1.1.1	0x9fb9	Standard query (0)	heavyexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.931025982 CET	192.168.2.7	1.1.1.1	0x5c9a	Standard query (0)	gentleexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.942696095 CET	192.168.2.7	1.1.1.1	0xcaf4	Standard query (0)	heavybright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.955173016 CET	192.168.2.7	1.1.1.1	0xf16	Standard query (0)	gentlebright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.968086004 CET	192.168.2.7	1.1.1.1	0x1671	Standard query (0)	heavyinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.980334997 CET	192.168.2.7	1.1.1.1	0x5c51	Standard query (0)	gentleinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.992647886 CET	192.168.2.7	1.1.1.1	0x869	Standard query (0)	variousinstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.004740000 CET	192.168.2.7	1.1.1.1	0xc605	Standard query (0)	returninstead.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.016379118 CET	192.168.2.7	1.1.1.1	0x844f	Standard query (0)	variousexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.026945114 CET	192.168.2.7	1.1.1.1	0x1f36	Standard query (0)	returnexplain.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.059385061 CET	192.168.2.7	1.1.1.1	0x2acb	Standard query (0)	variousbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.072128057 CET	192.168.2.7	1.1.1.1	0x4070	Standard query (0)	returnbright.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.089428902 CET	192.168.2.7	1.1.1.1	0x361d	Standard query (0)	variousinside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.100639105 CET	192.168.2.7	1.1.1.1	0x7ebf	Standard query (0)	returninside.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.111120939 CET	192.168.2.7	1.1.1.1	0x6450	Standard query (0)	degreeready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.145504951 CET	192.168.2.7	1.1.1.1	0xe3f2	Standard query (0)	forwardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.179832935 CET	192.168.2.7	1.1.1.1	0x1efb	Standard query (0)	degreebrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.191200018 CET	192.168.2.7	1.1.1.1	0x343d	Standard query (0)	forwardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.203571081 CET	192.168.2.7	1.1.1.1	0xa2b9	Standard query (0)	degreepeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.214863062 CET	192.168.2.7	1.1.1.1	0x8093	Standard query (0)	forwardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.145634890 CET	192.168.2.7	1.1.1.1	0x3a13	Standard query (0)	forwarddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.157644033 CET	192.168.2.7	1.1.1.1	0xf9c7	Standard query (0)	answerready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.168418884 CET	192.168.2.7	1.1.1.1	0xc19d	Standard query (0)	glassready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.178752899 CET	192.168.2.7	1.1.1.1	0x4c7b	Standard query (0)	answerbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.189691067 CET	192.168.2.7	1.1.1.1	0xa55c	Standard query (0)	glassbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.201395988 CET	192.168.2.7	1.1.1.1	0xa4f	Standard query (0)	answerpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.233980894 CET	192.168.2.7	1.1.1.1	0x79ad	Standard query (0)	glasspeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.266592979 CET	192.168.2.7	1.1.1.1	0x3570	Standard query (0)	answerdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.299397945 CET	192.168.2.7	1.1.1.1	0x9a73	Standard query (0)	glassdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.330964088 CET	192.168.2.7	1.1.1.1	0x952	Standard query (0)	difficultready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.342278957 CET	192.168.2.7	1.1.1.1	0x3f01	Standard query (0)	heardready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.374471903 CET	192.168.2.7	1.1.1.1	0xb9f4	Standard query (0)	difficultbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.382653952 CET	192.168.2.7	1.1.1.1	0xf7a6	Standard query (0)	heardbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.071810007 CET	192.168.2.7	1.1.1.1	0x7895	Standard query (0)	heardpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.084183931 CET	192.168.2.7	1.1.1.1	0x626f	Standard query (0)	difficultdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.097138882 CET	192.168.2.7	1.1.1.1	0xd659	Standard query (0)	hearddaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.129976034 CET	192.168.2.7	1.1.1.1	0x872d	Standard query (0)	pleasantready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.141922951 CET	192.168.2.7	1.1.1.1	0x8c2	Standard query (0)	necessaryready.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.153949976 CET	192.168.2.7	1.1.1.1	0x379	Standard query (0)	pleasantbrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.186777115 CET	192.168.2.7	1.1.1.1	0x90c8	Standard query (0)	necessarybrown.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.198209047 CET	192.168.2.7	1.1.1.1	0x5d2f	Standard query (0)	pleasantpeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.208930016 CET	192.168.2.7	1.1.1.1	0x5714	Standard query (0)	necessarypeople.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.219918013 CET	192.168.2.7	1.1.1.1	0x292e	Standard query (0)	pleasantdaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.232105970 CET	192.168.2.7	1.1.1.1	0xdd7a	Standard query (0)	necessarydaughter.net	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.266164064 CET	192.168.2.7	1.1.1.1	0xe0a2	Standard query (0)	orderready.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 16:04:53.347775936 CET	1.1.1.1	192.168.2.7	0x4749	Name error (3)	heavennothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.442743063 CET	1.1.1.1	192.168.2.7	0x3867	Name error (3)	leaderbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.465126991 CET	1.1.1.1	192.168.2.7	0x6a44	Name error (3)	heavenbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.495286942 CET	1.1.1.1	192.168.2.7	0x63c6	Name error (3)	leaderdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.544032097 CET	1.1.1.1	192.168.2.7	0x81f8	Name error (3)	heavendivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.569571972 CET	1.1.1.1	192.168.2.7	0xdfb9	Name error (3)	heavystream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.613780975 CET	1.1.1.1	192.168.2.7	0x3eda	Name error (3)	gentlestream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.672549009 CET	1.1.1.1	192.168.2.7	0xf7cd	Name error (3)	heavynothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.694328070 CET	1.1.1.1	192.168.2.7	0x4986	Name error (3)	gentlenothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.705370903 CET	1.1.1.1	192.168.2.7	0x7450	Name error (3)	heavybottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.719063044 CET	1.1.1.1	192.168.2.7	0x571b	Name error (3)	gentlebottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.751280069 CET	1.1.1.1	192.168.2.7	0xe3e6	Name error (3)	heavydivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:53.785763979 CET	1.1.1.1	192.168.2.7	0x7823	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.097103119 CET	1.1.1.1	192.168.2.7	0xa8df	No error (0)	variousstream.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:04:54.097103119 CET	1.1.1.1	192.168.2.7	0xa8df	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.658442974 CET	1.1.1.1	192.168.2.7	0x94f1	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:04:54.772690058 CET	1.1.1.1	192.168.2.7	0x72a6	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.787415981 CET	1.1.1.1	192.168.2.7	0xc136	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:54.843070984 CET	1.1.1.1	192.168.2.7	0xf532	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.008295059 CET	1.1.1.1	192.168.2.7	0x3a00	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:55.224541903 CET	1.1.1.1	192.168.2.7	0xf1c2	No error (0)	returnbottle.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.119527102 CET	1.1.1.1	192.168.2.7	0xdf57	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.131095886 CET	1.1.1.1	192.168.2.7	0x40df	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.141644955 CET	1.1.1.1	192.168.2.7	0x46b3	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.153564930 CET	1.1.1.1	192.168.2.7	0xd6a6	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.164263964 CET	1.1.1.1	192.168.2.7	0x4720	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.176110983 CET	1.1.1.1	192.168.2.7	0xdbe9	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.186676025 CET	1.1.1.1	192.168.2.7	0xa632	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.197581053 CET	1.1.1.1	192.168.2.7	0x1ae	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.230848074 CET	1.1.1.1	192.168.2.7	0x2eb6	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.241862059 CET	1.1.1.1	192.168.2.7	0xa211	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.253117085 CET	1.1.1.1	192.168.2.7	0xff8d	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.288800001 CET	1.1.1.1	192.168.2.7	0xa525	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.321398020 CET	1.1.1.1	192.168.2.7	0xd9cc	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.354087114 CET	1.1.1.1	192.168.2.7	0xdec7	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.386241913 CET	1.1.1.1	192.168.2.7	0x80f0	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.397490025 CET	1.1.1.1	192.168.2.7	0xf930	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.408019066 CET	1.1.1.1	192.168.2.7	0x8a45	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.441931009 CET	1.1.1.1	192.168.2.7	0x29df	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.456258059 CET	1.1.1.1	192.168.2.7	0x2c15	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.469532013 CET	1.1.1.1	192.168.2.7	0xf275	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.481367111 CET	1.1.1.1	192.168.2.7	0x2c29	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.493697882 CET	1.1.1.1	192.168.2.7	0x2dd0	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.528162956 CET	1.1.1.1	192.168.2.7	0xd97	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.540806055 CET	1.1.1.1	192.168.2.7	0xc136	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.574012041 CET	1.1.1.1	192.168.2.7	0x608f	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.588335991 CET	1.1.1.1	192.168.2.7	0xa8cb	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.601798058 CET	1.1.1.1	192.168.2.7	0x1db8	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.615495920 CET	1.1.1.1	192.168.2.7	0xe634	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.626497984 CET	1.1.1.1	192.168.2.7	0xa98c	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.637691975 CET	1.1.1.1	192.168.2.7	0x21aa	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.648102045 CET	1.1.1.1	192.168.2.7	0x8840	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.680032015 CET	1.1.1.1	192.168.2.7	0x279e	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.711973906 CET	1.1.1.1	192.168.2.7	0x9aeb	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.723645926 CET	1.1.1.1	192.168.2.7	0xa1c1	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.735065937 CET	1.1.1.1	192.168.2.7	0xa947	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.772583008 CET	1.1.1.1	192.168.2.7	0x87ab	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.782725096 CET	1.1.1.1	192.168.2.7	0x1413	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.794508934 CET	1.1.1.1	192.168.2.7	0xf0c6	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.805000067 CET	1.1.1.1	192.168.2.7	0x4f45	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.816334963 CET	1.1.1.1	192.168.2.7	0xd26e	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.848032951 CET	1.1.1.1	192.168.2.7	0xc247	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.880276918 CET	1.1.1.1	192.168.2.7	0x315	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.913297892 CET	1.1.1.1	192.168.2.7	0x6675	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.924864054 CET	1.1.1.1	192.168.2.7	0xe236	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.936068058 CET	1.1.1.1	192.168.2.7	0x647	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.945817947 CET	1.1.1.1	192.168.2.7	0xf07	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.956614017 CET	1.1.1.1	192.168.2.7	0x5d2d	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.967164993 CET	1.1.1.1	192.168.2.7	0x1eee	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.978880882 CET	1.1.1.1	192.168.2.7	0x99cc	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:57.989454031 CET	1.1.1.1	192.168.2.7	0xf288	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.000984907 CET	1.1.1.1	192.168.2.7	0x95dc	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.012195110 CET	1.1.1.1	192.168.2.7	0x7f8c	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.022697926 CET	1.1.1.1	192.168.2.7	0x8530	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:58.207989931 CET	1.1.1.1	192.168.2.7	0x4ce2	No error (0)	gentleanother.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.188363075 CET	1.1.1.1	192.168.2.7	0x5baf	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.199888945 CET	1.1.1.1	192.168.2.7	0xbfe	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.213710070 CET	1.1.1.1	192.168.2.7	0xd13e	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.226752043 CET	1.1.1.1	192.168.2.7	0xbde4	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.236771107 CET	1.1.1.1	192.168.2.7	0x2308	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.250068903 CET	1.1.1.1	192.168.2.7	0x774c	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.262159109 CET	1.1.1.1	192.168.2.7	0xa0a4	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.297399998 CET	1.1.1.1	192.168.2.7	0x69a8	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.330907106 CET	1.1.1.1	192.168.2.7	0x898f	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.346285105 CET	1.1.1.1	192.168.2.7	0xc11b	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.377984047 CET	1.1.1.1	192.168.2.7	0xe88b	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.410007954 CET	1.1.1.1	192.168.2.7	0xaad9	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.420322895 CET	1.1.1.1	192.168.2.7	0x227	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.577178955 CET	1.1.1.1	192.168.2.7	0x1d3a	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.587853909 CET	1.1.1.1	192.168.2.7	0x80d8	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.601001024 CET	1.1.1.1	192.168.2.7	0x126a	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.612354040 CET	1.1.1.1	192.168.2.7	0xa657	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.644774914 CET	1.1.1.1	192.168.2.7	0x49ba	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.656642914 CET	1.1.1.1	192.168.2.7	0x5cee	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.667671919 CET	1.1.1.1	192.168.2.7	0xef59	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.700613976 CET	1.1.1.1	192.168.2.7	0x58e4	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.712245941 CET	1.1.1.1	192.168.2.7	0xce57	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.724016905 CET	1.1.1.1	192.168.2.7	0x7a20	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.755714893 CET	1.1.1.1	192.168.2.7	0xed1c	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:04:59.787955046 CET	1.1.1.1	192.168.2.7	0xbfa	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.157084942 CET	1.1.1.1	192.168.2.7	0x53d5	No error (0)	glassbright.net	7450.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 16:05:00.157084942 CET	1.1.1.1	192.168.2.7	0x53d5	No error (0)	7450.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:00.850101948 CET	1.1.1.1	192.168.2.7	0xf65b	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.507688999 CET	1.1.1.1	192.168.2.7	0x3183	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.525317907 CET	1.1.1.1	192.168.2.7	0xa955	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.542020082 CET	1.1.1.1	192.168.2.7	0x34d0	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.557168961 CET	1.1.1.1	192.168.2.7	0xe440	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.590400934 CET	1.1.1.1	192.168.2.7	0x3786	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.603935003 CET	1.1.1.1	192.168.2.7	0xb89	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.625219107 CET	1.1.1.1	192.168.2.7	0xe8e2	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:01.637314081 CET	1.1.1.1	192.168.2.7	0x2cf2	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:02.071599007 CET	1.1.1.1	192.168.2.7	0x1f9	No error (0)	pleasantinstead.net		18.143.155.63	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.952143908 CET	1.1.1.1	192.168.2.7	0xf675	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.965478897 CET	1.1.1.1	192.168.2.7	0xae27	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.977418900 CET	1.1.1.1	192.168.2.7	0x5326	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.988667965 CET	1.1.1.1	192.168.2.7	0xd630	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:03.999515057 CET	1.1.1.1	192.168.2.7	0xd3d5	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.012185097 CET	1.1.1.1	192.168.2.7	0x829a	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.023416996 CET	1.1.1.1	192.168.2.7	0xe5f3	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.054416895 CET	1.1.1.1	192.168.2.7	0x14fe	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.072954893 CET	1.1.1.1	192.168.2.7	0x1ecf	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.085130930 CET	1.1.1.1	192.168.2.7	0x8829	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.095150948 CET	1.1.1.1	192.168.2.7	0xcc2e	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.106045961 CET	1.1.1.1	192.168.2.7	0xda2e	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.137325048 CET	1.1.1.1	192.168.2.7	0x981a	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.295079947 CET	1.1.1.1	192.168.2.7	0x3602	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.327666044 CET	1.1.1.1	192.168.2.7	0x8641	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.338426113 CET	1.1.1.1	192.168.2.7	0x8b7c	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.348624945 CET	1.1.1.1	192.168.2.7	0x916a	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.359141111 CET	1.1.1.1	192.168.2.7	0xafd0	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.394874096 CET	1.1.1.1	192.168.2.7	0x1689	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.407636881 CET	1.1.1.1	192.168.2.7	0x5336	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.416245937 CET	1.1.1.1	192.168.2.7	0xee4	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.427758932 CET	1.1.1.1	192.168.2.7	0x31a5	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.439228058 CET	1.1.1.1	192.168.2.7	0xa17d	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.453368902 CET	1.1.1.1	192.168.2.7	0x51ad	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.488535881 CET	1.1.1.1	192.168.2.7	0x458e	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.502510071 CET	1.1.1.1	192.168.2.7	0xe3cf	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.534972906 CET	1.1.1.1	192.168.2.7	0xae12	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.545937061 CET	1.1.1.1	192.168.2.7	0xf732	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.556900024 CET	1.1.1.1	192.168.2.7	0x275c	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.588821888 CET	1.1.1.1	192.168.2.7	0x40f9	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.600617886 CET	1.1.1.1	192.168.2.7	0x4cf9	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.611424923 CET	1.1.1.1	192.168.2.7	0x11c7	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.622478962 CET	1.1.1.1	192.168.2.7	0x2541	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.632677078 CET	1.1.1.1	192.168.2.7	0xafc4	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.663984060 CET	1.1.1.1	192.168.2.7	0x392f	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.696541071 CET	1.1.1.1	192.168.2.7	0x4ff9	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.707931042 CET	1.1.1.1	192.168.2.7	0xc3ff	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.719094038 CET	1.1.1.1	192.168.2.7	0x7b26	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.735214949 CET	1.1.1.1	192.168.2.7	0x2ca6	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.746452093 CET	1.1.1.1	192.168.2.7	0x24e9	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.759437084 CET	1.1.1.1	192.168.2.7	0xf54c	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.779006958 CET	1.1.1.1	192.168.2.7	0x1ff7	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.789272070 CET	1.1.1.1	192.168.2.7	0xfe59	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.799742937 CET	1.1.1.1	192.168.2.7	0xe0e	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.810883999 CET	1.1.1.1	192.168.2.7	0xe653	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:04.898118019 CET	1.1.1.1	192.168.2.7	0xe809	No error (0)	degreedaughter.net		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.795481920 CET	1.1.1.1	192.168.2.7	0x71c3	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.806155920 CET	1.1.1.1	192.168.2.7	0xeab6	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.816298008 CET	1.1.1.1	192.168.2.7	0x83a3	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.829643011 CET	1.1.1.1	192.168.2.7	0xc61	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.845227003 CET	1.1.1.1	192.168.2.7	0x19ed	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.857165098 CET	1.1.1.1	192.168.2.7	0x6886	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.868282080 CET	1.1.1.1	192.168.2.7	0x1fa5	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.900918961 CET	1.1.1.1	192.168.2.7	0xc21e	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.913753033 CET	1.1.1.1	192.168.2.7	0xe310	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.946469069 CET	1.1.1.1	192.168.2.7	0x6055	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:05.978557110 CET	1.1.1.1	192.168.2.7	0x37c2	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.011785984 CET	1.1.1.1	192.168.2.7	0xc6a1	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.043571949 CET	1.1.1.1	192.168.2.7	0x4a0b	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.102107048 CET	1.1.1.1	192.168.2.7	0x655c	No error (0)	difficultpeople.net		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:06.102107048 CET	1.1.1.1	192.168.2.7	0x655c	No error (0)	difficultpeople.net		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:19.878576040 CET	1.1.1.1	192.168.2.7	0x8830	No error (0)	difficultpeople.net		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:05:19.878576040 CET	1.1.1.1	192.168.2.7	0x8830	No error (0)	difficultpeople.net		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.241674900 CET	1.1.1.1	192.168.2.7	0x429f	Name error (3)	gentledivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.900947094 CET	1.1.1.1	192.168.2.7	0x820f	Name error (3)	returnstream.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.912138939 CET	1.1.1.1	192.168.2.7	0xe6de	Name error (3)	variousnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.923098087 CET	1.1.1.1	192.168.2.7	0x3f34	Name error (3)	returnnothing.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:13.933649063 CET	1.1.1.1	192.168.2.7	0x987c	Name error (3)	variousbottle.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.870649099 CET	1.1.1.1	192.168.2.7	0x1582	Name error (3)	variousdivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.907392025 CET	1.1.1.1	192.168.2.7	0xd86e	Name error (3)	returndivide.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.918662071 CET	1.1.1.1	192.168.2.7	0xcc63	Name error (3)	degreemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.949609041 CET	1.1.1.1	192.168.2.7	0xc54f	Name error (3)	forwardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:15.980979919 CET	1.1.1.1	192.168.2.7	0xc40c	Name error (3)	degreeanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.135237932 CET	1.1.1.1	192.168.2.7	0xc555	Name error (3)	forwardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.168159008 CET	1.1.1.1	192.168.2.7	0x6d9e	Name error (3)	degreebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.178093910 CET	1.1.1.1	192.168.2.7	0x7b24	Name error (3)	forwardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.209016085 CET	1.1.1.1	192.168.2.7	0x6b4d	Name error (3)	degreeappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.220129967 CET	1.1.1.1	192.168.2.7	0x3326	Name error (3)	forwardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.230613947 CET	1.1.1.1	192.168.2.7	0xaa1f	Name error (3)	answermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.241934061 CET	1.1.1.1	192.168.2.7	0xadcb	Name error (3)	glassmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.273034096 CET	1.1.1.1	192.168.2.7	0xdf08	Name error (3)	answeranother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.283898115 CET	1.1.1.1	192.168.2.7	0x3867	Name error (3)	glassanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.317037106 CET	1.1.1.1	192.168.2.7	0x33c8	Name error (3)	answerbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.328620911 CET	1.1.1.1	192.168.2.7	0x61d2	Name error (3)	glassbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.339920044 CET	1.1.1.1	192.168.2.7	0x82bd	Name error (3)	answerappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.373490095 CET	1.1.1.1	192.168.2.7	0x48e7	Name error (3)	glassappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.384622097 CET	1.1.1.1	192.168.2.7	0xd8f7	Name error (3)	difficultmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.416042089 CET	1.1.1.1	192.168.2.7	0xa762	Name error (3)	heardmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.427623034 CET	1.1.1.1	192.168.2.7	0x93eb	Name error (3)	difficultanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.440568924 CET	1.1.1.1	192.168.2.7	0x5476	Name error (3)	heardanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.452315092 CET	1.1.1.1	192.168.2.7	0xafeb	Name error (3)	difficultbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.461631060 CET	1.1.1.1	192.168.2.7	0x32a1	Name error (3)	heardbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.494417906 CET	1.1.1.1	192.168.2.7	0xb31e	Name error (3)	difficultappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.505398989 CET	1.1.1.1	192.168.2.7	0xba1a	Name error (3)	heardappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.517252922 CET	1.1.1.1	192.168.2.7	0xd2f	Name error (3)	pleasantmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.529340029 CET	1.1.1.1	192.168.2.7	0xe178	Name error (3)	necessarymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.692389965 CET	1.1.1.1	192.168.2.7	0x4a96	Name error (3)	pleasantanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.704786062 CET	1.1.1.1	192.168.2.7	0x7d76	Name error (3)	necessaryanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.735780954 CET	1.1.1.1	192.168.2.7	0xa76a	Name error (3)	pleasantbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.747987032 CET	1.1.1.1	192.168.2.7	0xdb39	Name error (3)	necessarybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.781043053 CET	1.1.1.1	192.168.2.7	0x6302	Name error (3)	pleasantappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.792679071 CET	1.1.1.1	192.168.2.7	0x8b4e	Name error (3)	necessaryappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.827554941 CET	1.1.1.1	192.168.2.7	0x8628	Name error (3)	ordermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.840500116 CET	1.1.1.1	192.168.2.7	0x245f	Name error (3)	requiremanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.850759029 CET	1.1.1.1	192.168.2.7	0x6ab6	Name error (3)	orderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.858927965 CET	1.1.1.1	192.168.2.7	0x1a40	Name error (3)	requireanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.890587091 CET	1.1.1.1	192.168.2.7	0xcb25	Name error (3)	orderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.901130915 CET	1.1.1.1	192.168.2.7	0xf0dd	Name error (3)	requirebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.930253029 CET	1.1.1.1	192.168.2.7	0x66dc	Name error (3)	orderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.944922924 CET	1.1.1.1	192.168.2.7	0x2a2d	Name error (3)	requireappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.982917070 CET	1.1.1.1	192.168.2.7	0xcbfd	Name error (3)	leadermanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:16.994539022 CET	1.1.1.1	192.168.2.7	0x8270	Name error (3)	heavenmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.088989973 CET	1.1.1.1	192.168.2.7	0x8437	Name error (3)	leaderanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.105096102 CET	1.1.1.1	192.168.2.7	0x9b1b	Name error (3)	heavenanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.127393961 CET	1.1.1.1	192.168.2.7	0x5e58	Name error (3)	leaderbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.150991917 CET	1.1.1.1	192.168.2.7	0x65f1	Name error (3)	heavenbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.170691967 CET	1.1.1.1	192.168.2.7	0x862f	Name error (3)	leaderappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.211982012 CET	1.1.1.1	192.168.2.7	0x2fbc	Name error (3)	heavenappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.508321047 CET	1.1.1.1	192.168.2.7	0x2968	Name error (3)	heavymanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.803721905 CET	1.1.1.1	192.168.2.7	0x7e0d	Name error (3)	gentlemanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:17.815033913 CET	1.1.1.1	192.168.2.7	0x4cc6	Name error (3)	heavyanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.810669899 CET	1.1.1.1	192.168.2.7	0xe029	Name error (3)	heavybusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.822026968 CET	1.1.1.1	192.168.2.7	0x64ac	Name error (3)	gentlebusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.831190109 CET	1.1.1.1	192.168.2.7	0x2d26	Name error (3)	heavyappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.863784075 CET	1.1.1.1	192.168.2.7	0xe0f7	Name error (3)	gentleappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.875801086 CET	1.1.1.1	192.168.2.7	0xa22b	Name error (3)	variousmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.908488989 CET	1.1.1.1	192.168.2.7	0x2b7b	Name error (3)	returnmanner.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.920857906 CET	1.1.1.1	192.168.2.7	0x7d57	Name error (3)	variousanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.930834055 CET	1.1.1.1	192.168.2.7	0x3549	Name error (3)	returnanother.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.940620899 CET	1.1.1.1	192.168.2.7	0x7440	Name error (3)	variousbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.975406885 CET	1.1.1.1	192.168.2.7	0x7b7c	Name error (3)	returnbusiness.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.987499952 CET	1.1.1.1	192.168.2.7	0xe98f	Name error (3)	variousappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:18.998583078 CET	1.1.1.1	192.168.2.7	0xb51d	Name error (3)	returnappear.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.010644913 CET	1.1.1.1	192.168.2.7	0x3c4b	Name error (3)	degreeinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.023623943 CET	1.1.1.1	192.168.2.7	0x3469	Name error (3)	forwardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.034188032 CET	1.1.1.1	192.168.2.7	0x5ff	Name error (3)	degreeexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.044912100 CET	1.1.1.1	192.168.2.7	0x442f	Name error (3)	forwardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.080305099 CET	1.1.1.1	192.168.2.7	0x6b7f	Name error (3)	degreebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.092499018 CET	1.1.1.1	192.168.2.7	0x947c	Name error (3)	forwardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.377610922 CET	1.1.1.1	192.168.2.7	0x8394	Name error (3)	degreeinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.389084101 CET	1.1.1.1	192.168.2.7	0xfe31	Name error (3)	forwardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.400989056 CET	1.1.1.1	192.168.2.7	0xa0bc	Name error (3)	answerinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.413288116 CET	1.1.1.1	192.168.2.7	0x108c	Name error (3)	glassinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.423425913 CET	1.1.1.1	192.168.2.7	0x9101	Name error (3)	answerexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.435513020 CET	1.1.1.1	192.168.2.7	0x9a46	Name error (3)	glassexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:19.445924997 CET	1.1.1.1	192.168.2.7	0x24d6	Name error (3)	answerbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.153610945 CET	1.1.1.1	192.168.2.7	0x22fb	Name error (3)	answerinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.165843010 CET	1.1.1.1	192.168.2.7	0x7545	Name error (3)	glassinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.177536964 CET	1.1.1.1	192.168.2.7	0x7bfe	Name error (3)	difficultinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.210980892 CET	1.1.1.1	192.168.2.7	0xfa37	Name error (3)	heardinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.221388102 CET	1.1.1.1	192.168.2.7	0x1d71	Name error (3)	difficultexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.231720924 CET	1.1.1.1	192.168.2.7	0xb5ec	Name error (3)	heardexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.242531061 CET	1.1.1.1	192.168.2.7	0xef10	Name error (3)	difficultbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.257350922 CET	1.1.1.1	192.168.2.7	0x48ba	Name error (3)	heardbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.268990993 CET	1.1.1.1	192.168.2.7	0x8a0e	Name error (3)	difficultinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:20.279407978 CET	1.1.1.1	192.168.2.7	0xaa70	Name error (3)	heardinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.168255091 CET	1.1.1.1	192.168.2.7	0x631d	Name error (3)	necessaryinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.178970098 CET	1.1.1.1	192.168.2.7	0x72e5	Name error (3)	pleasantexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.190231085 CET	1.1.1.1	192.168.2.7	0x19a6	Name error (3)	necessaryexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.222270012 CET	1.1.1.1	192.168.2.7	0x59a3	Name error (3)	pleasantbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.254055023 CET	1.1.1.1	192.168.2.7	0xac4a	Name error (3)	necessarybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.266948938 CET	1.1.1.1	192.168.2.7	0x12be	Name error (3)	pleasantinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.280015945 CET	1.1.1.1	192.168.2.7	0x3b6c	Name error (3)	necessaryinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.293625116 CET	1.1.1.1	192.168.2.7	0x284	Name error (3)	orderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.626678944 CET	1.1.1.1	192.168.2.7	0xc701	Name error (3)	requireinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.646739006 CET	1.1.1.1	192.168.2.7	0xd76e	Name error (3)	orderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.659812927 CET	1.1.1.1	192.168.2.7	0x6673	Name error (3)	requireexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.670561075 CET	1.1.1.1	192.168.2.7	0x94c1	Name error (3)	orderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.678847075 CET	1.1.1.1	192.168.2.7	0x9695	Name error (3)	requirebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.710272074 CET	1.1.1.1	192.168.2.7	0x8ac4	Name error (3)	orderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.721167088 CET	1.1.1.1	192.168.2.7	0xdce9	Name error (3)	requireinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.731053114 CET	1.1.1.1	192.168.2.7	0x46e4	Name error (3)	leaderinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.763225079 CET	1.1.1.1	192.168.2.7	0x7e7a	Name error (3)	heaveninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.776185989 CET	1.1.1.1	192.168.2.7	0x416	Name error (3)	leaderexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.809418917 CET	1.1.1.1	192.168.2.7	0xf3d8	Name error (3)	heavenexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.820486069 CET	1.1.1.1	192.168.2.7	0x8861	Name error (3)	leaderbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.830835104 CET	1.1.1.1	192.168.2.7	0x8e1	Name error (3)	heavenbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.862989902 CET	1.1.1.1	192.168.2.7	0x93a9	Name error (3)	leaderinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.874079943 CET	1.1.1.1	192.168.2.7	0x46fa	Name error (3)	heaveninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.885051966 CET	1.1.1.1	192.168.2.7	0x28d3	Name error (3)	heavyinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.918699980 CET	1.1.1.1	192.168.2.7	0x4c4e	Name error (3)	gentleinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.930339098 CET	1.1.1.1	192.168.2.7	0x9fb9	Name error (3)	heavyexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.941837072 CET	1.1.1.1	192.168.2.7	0x5c9a	Name error (3)	gentleexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.953903913 CET	1.1.1.1	192.168.2.7	0xcaf4	Name error (3)	heavybright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.967137098 CET	1.1.1.1	192.168.2.7	0xf16	Name error (3)	gentlebright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.979480028 CET	1.1.1.1	192.168.2.7	0x1671	Name error (3)	heavyinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:22.991755009 CET	1.1.1.1	192.168.2.7	0x5c51	Name error (3)	gentleinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.003772974 CET	1.1.1.1	192.168.2.7	0x869	Name error (3)	variousinstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.015326023 CET	1.1.1.1	192.168.2.7	0xc605	Name error (3)	returninstead.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.026288986 CET	1.1.1.1	192.168.2.7	0x844f	Name error (3)	variousexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.058242083 CET	1.1.1.1	192.168.2.7	0x1f36	Name error (3)	returnexplain.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.071223974 CET	1.1.1.1	192.168.2.7	0x2acb	Name error (3)	variousbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.084067106 CET	1.1.1.1	192.168.2.7	0x4070	Name error (3)	returnbright.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.099183083 CET	1.1.1.1	192.168.2.7	0x361d	Name error (3)	variousinside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.110130072 CET	1.1.1.1	192.168.2.7	0x7ebf	Name error (3)	returninside.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.144303083 CET	1.1.1.1	192.168.2.7	0x6450	Name error (3)	degreeready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.178760052 CET	1.1.1.1	192.168.2.7	0xe3f2	Name error (3)	forwardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.190239906 CET	1.1.1.1	192.168.2.7	0x1efb	Name error (3)	degreebrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.202291012 CET	1.1.1.1	192.168.2.7	0x343d	Name error (3)	forwardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.213856936 CET	1.1.1.1	192.168.2.7	0xa2b9	Name error (3)	degreepeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:23.246272087 CET	1.1.1.1	192.168.2.7	0x8093	Name error (3)	forwardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.156712055 CET	1.1.1.1	192.168.2.7	0x3a13	Name error (3)	forwarddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.167757988 CET	1.1.1.1	192.168.2.7	0xf9c7	Name error (3)	answerready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.178181887 CET	1.1.1.1	192.168.2.7	0xc19d	Name error (3)	glassready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.188976049 CET	1.1.1.1	192.168.2.7	0x4c7b	Name error (3)	answerbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.200680971 CET	1.1.1.1	192.168.2.7	0xa55c	Name error (3)	glassbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.232965946 CET	1.1.1.1	192.168.2.7	0xa4f	Name error (3)	answerpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.265383005 CET	1.1.1.1	192.168.2.7	0x79ad	Name error (3)	glasspeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.298288107 CET	1.1.1.1	192.168.2.7	0x3570	Name error (3)	answerdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.329695940 CET	1.1.1.1	192.168.2.7	0x9a73	Name error (3)	glassdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.341428995 CET	1.1.1.1	192.168.2.7	0x952	Name error (3)	difficultready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.373423100 CET	1.1.1.1	192.168.2.7	0x3f01	Name error (3)	heardready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.381778955 CET	1.1.1.1	192.168.2.7	0xb9f4	Name error (3)	difficultbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:24.413360119 CET	1.1.1.1	192.168.2.7	0xf7a6	Name error (3)	heardbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.083077908 CET	1.1.1.1	192.168.2.7	0x7895	Name error (3)	heardpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.094639063 CET	1.1.1.1	192.168.2.7	0x626f	Name error (3)	difficultdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.128739119 CET	1.1.1.1	192.168.2.7	0xd659	Name error (3)	hearddaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.140746117 CET	1.1.1.1	192.168.2.7	0x872d	Name error (3)	pleasantready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.152528048 CET	1.1.1.1	192.168.2.7	0x8c2	Name error (3)	necessaryready.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.185609102 CET	1.1.1.1	192.168.2.7	0x379	Name error (3)	pleasantbrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.196960926 CET	1.1.1.1	192.168.2.7	0x90c8	Name error (3)	necessarybrown.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.207999945 CET	1.1.1.1	192.168.2.7	0x5d2f	Name error (3)	pleasantpeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.219086885 CET	1.1.1.1	192.168.2.7	0x5714	Name error (3)	necessarypeople.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.230993986 CET	1.1.1.1	192.168.2.7	0x292e	Name error (3)	pleasantdaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.265225887 CET	1.1.1.1	192.168.2.7	0xdd7a	Name error (3)	necessarydaughter.net	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 16:06:25.276272058 CET	1.1.1.1	192.168.2.7	0xe0a2	Name error (3)	orderready.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

variousstream.net

returnbottle.net

gentleanother.net

glassbright.net

pleasantinstead.net

degreedaughter.net

difficultpeople.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	199.59.243.227	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:04:54.122488976 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 16:04:54.762036085 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:04:54 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 541fe9f9-23f6-45cf-be3b-488b150003dd cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=541fe9f9-23f6-45cf-be3b-488b150003dd; expires=Thu, 07 Nov 2024 15:19:54 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:04:54.762058973 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTQxZmU5ZjktMjNmNi00NWNmLWJlM2ItNDg4YjE1MDAwM2RkIiwicGFnZV90aW1lIjoxNzMwOTkxOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	18.143.155.63	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:04:55.230233908 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 16:04:56.689035892 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:04:56 GMT Content-Type: text/html Connection: close Set-Cookie: btst=9e27cdb170c0174ff4726af4a481ba33\|173.254.250.79\|1730991896\|1730991896\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49702	54.244.188.177	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:04:58.222752094 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 16:04:59.054225922 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:04:58 GMT Content-Type: text/html Connection: close Set-Cookie: btst=ac11d3277249f8c5ebd86900e1719f64\|173.254.250.79\|1730991898\|1730991898\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49713	199.59.243.227	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:00.162895918 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 16:05:00.821821928 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:05:00 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 9ee304f9-df01-4c47-96c3-e7fce9f88eb6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=9ee304f9-df01-4c47-96c3-e7fce9f88eb6; expires=Thu, 07 Nov 2024 15:20:00 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:05:00.821846008 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWVlMzA0ZjktZGYwMS00YzQ3LTk2YzMtZTdmY2U5Zjg4ZWI2IiwicGFnZV90aW1lIjoxNzMwOTkxOT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	57893	18.143.155.63	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:02.077590942 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 16:05:03.519365072 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:05:03 GMT Content-Type: text/html Connection: close Set-Cookie: btst=7073b7de6e7a802fd78ea0c1b16dd6d1\|173.254.250.79\|1730991903\|1730991903\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	57910	85.214.228.140	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:04.904403925 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 16:05:05.774672985 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 15:05:05 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	57918	13.248.169.48	80	1768	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:05:06.109601021 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: difficultpeople.net
Nov 7, 2024 16:05:06.771162987 CET	254	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 07 Nov 2024 15:05:06 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	58142	199.59.243.227	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:13.250207901 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: variousstream.net
Nov 7, 2024 16:06:13.889210939 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:06:13 GMT content-type: text/html; charset=utf-8 content-length: 1066 x-request-id: 9f4ab666-2dca-4333-838f-25b91d6fdf84 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ== set-cookie: parking_session=9f4ab666-2dca-4333-838f-25b91d6fdf84; expires=Thu, 07 Nov 2024 15:21:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 48 57 78 4b 61 44 77 6f 44 6f 77 66 36 4c 4b 38 37 48 37 43 67 61 6e 64 75 64 43 5a 44 6d 51 47 5a 44 66 75 6c 48 7a 46 33 2b 71 61 37 37 57 52 36 7a 53 41 4f 70 32 47 6e 6f 6d 44 4b 45 7a 61 45 62 64 50 67 46 4f 47 31 48 77 38 41 67 68 7a 4e 4e 74 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SHWxKaDwoDowf6LK87H7CgandudCZDmQGZDfulHzF3+qa77WR6zSAOp2GnomDKEzaEbdPgFOG1Hw8AghzNNtEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:06:13.889235020 CET	519	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWY0YWI2NjYtMmRjYS00MzMzLTgzOGYtMjViOTFkNmZkZjg0IiwicGFnZV90aW1lIjoxNzMwOTkxOT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	58143	18.143.155.63	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:13.939496040 CET	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: returnbottle.net
Nov 7, 2024 16:06:15.414011955 CET	387	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:06:15 GMT Content-Type: text/html Connection: close Set-Cookie: btst=eb18eb4d2642cd301ff41b44645d73cd\|173.254.250.79\|1730991975\|1730991975\|0\|1\|0; path=/; domain=.returnbottle.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	58144	54.244.188.177	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:17.821192026 CET	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: gentleanother.net
Nov 7, 2024 16:06:18.657655954 CET	388	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:06:18 GMT Content-Type: text/html Connection: close Set-Cookie: btst=7a630cf8a364776e0caacfa4c2db3944\|173.254.250.79\|1730991978\|1730991978\|0\|1\|0; path=/; domain=.gentleanother.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	58145	199.59.243.227	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:19.452415943 CET	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: glassbright.net
Nov 7, 2024 16:06:20.110213995 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 07 Nov 2024 15:06:19 GMT content-type: text/html; charset=utf-8 content-length: 1062 x-request-id: 3857a332-e5a8-47fa-8db4-711f45cc49d6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg== set-cookie: parking_session=3857a332-e5a8-47fa-8db4-711f45cc49d6; expires=Thu, 07 Nov 2024 15:21:20 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 73 31 4f 4c 7a 78 6e 55 4f 6e 45 48 37 31 36 6b 42 70 6b 2f 68 77 6b 51 57 33 67 38 4a 33 70 73 6a 42 43 51 35 37 47 55 41 5a 74 5a 53 32 46 34 65 75 65 4b 6c 34 69 45 6f 71 6d 42 39 71 74 37 68 6b 53 39 39 4e 49 43 2f 79 4b 66 4e 77 69 33 2b 4d 56 50 79 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_s1OLzxnUOnEH716kBpk/hwkQW3g8J3psjBCQ57GUAZtZS2F4eueKl4iEoqmB9qt7hkS99NIC/yKfNwi3+MVPyg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 7, 2024 16:06:20.110289097 CET	515	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzg1N2EzMzItZTVhOC00N2ZhLThkYjQtNzExZjQ1Y2M0OWQ2IiwicGFnZV90aW1lIjoxNzMwOTkxOT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	58146	18.143.155.63	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:20.285101891 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: pleasantinstead.net
Nov 7, 2024 16:06:21.716443062 CET	390	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Nov 2024 15:06:21 GMT Content-Type: text/html Connection: close Set-Cookie: btst=e2131ba7a081dfac7cd656e728cc2246\|173.254.250.79\|1730991981\|1730991981\|0\|1\|0; path=/; domain=.pleasantinstead.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=173.254.250.79; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	58147	85.214.228.140	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:23.253009081 CET	85	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: degreedaughter.net
Nov 7, 2024 16:06:24.144799948 CET	176	IN	HTTP/1.0 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 07 Nov 2024 15:06:24 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	58148	13.248.169.48	80	3920	C:\vdjmzgowdzhfmld\skjlipudplp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 16:06:24.419708014 CET	86	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: difficultpeople.net
Nov 7, 2024 16:06:25.070838928 CET	254	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 07 Nov 2024 15:06:24 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Target ID:	1
Start time:	10:04:48
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\YiqjcLlhew.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YiqjcLlhew.exe"
Imagebase:	0xbf0000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:04:49
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe
Wow64 process (32bit):	true
Commandline:	"C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe"
Imagebase:	0x2e0000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:04:49
Start date:	07/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:04:49
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\skjlipudplp.exe
Wow64 process (32bit):	true
Commandline:	C:\vdjmzgowdzhfmld\skjlipudplp.exe
Imagebase:	0x1000000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:04:49
Start date:	07/11/2024
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7e7780000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:04:49
Start date:	07/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:04:49
Start date:	07/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:04:50
Start date:	07/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:04:50
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe
Wow64 process (32bit):	true
Commandline:	owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Imagebase:	0x6b0000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:04:51
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\skjlipudplp.exe
Wow64 process (32bit):	true
Commandline:	"C:\vdjmzgowdzhfmld\skjlipudplp.exe"
Imagebase:	0x1000000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:04:54
Start date:	07/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	11:50:29
Start date:	07/11/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff62faa0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:50:29
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:50:47
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\skjlipudplp.exe
Wow64 process (32bit):	true
Commandline:	"c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Imagebase:	0x1000000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:50:49
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe
Wow64 process (32bit):	true
Commandline:	owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Imagebase:	0x1a0000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:52:23
Start date:	07/11/2024
Path:	C:\vdjmzgowdzhfmld\skjlipudplp.exe
Wow64 process (32bit):	true
Commandline:	"c:\vdjmzgowdzhfmld\skjlipudplp.exe"
Imagebase:	0x1000000
File size:	282'112 bytes
MD5 hash:	F51DA33B8F97EC40E1960522549DCCA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.8%
Total number of Nodes:	1536
Total number of Limit Nodes:	28

Executed Functions

Function 00C1D0EB Relevance: 58.2, APIs: 28, Strings: 4, Instructions: 2186synchronizationsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C259B0: GetProcessHeap.KERNEL32(00000000,00000000,?,00C0FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C259C3
Part of subcall function 00C259B0: RtlFreeHeap.NTDLL(00000000,?,00C0FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C259CA

Part of subcall function 00C24650: GetSystemTime.KERNEL32(00BF2C4A,00000001,?,?,00BF2C4A), ref: 00C2473C

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00C1D651
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C1D721
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00C1D76D
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00C1D7A4
GetTickCount.KERNEL32 ref: 00C1D82E
Sleep.KERNEL32(00000D05), ref: 00C1DE9B
Sleep.KERNEL32(000003E8), ref: 00C1E039
GetCommandLineA.KERNEL32 ref: 00C1D9EB

Part of subcall function 00BFC9B0: ExitProcess.KERNEL32 ref: 00BFC9E8

Part of subcall function 00C14990: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C14A04

Strings

l, xrefs: 00C1E388
U"Kd, xrefs: 00C1F765
Qt$[, xrefs: 00C1F2C5
C:\Users\user, xrefs: 00C1D642

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Create$Mutex$HeapProcessSleep$CommandCountEnvironmentExitFileFreeLineSystemTickTimeVariable
String ID: C:\Users\user$Qt$[$U"Kd$l
API String ID: 2753435600-1084280013
Opcode ID: a0a8dd057a3edd99d81c370bddd27eb3a86eda0b3175e711028ec1538b739700
Instruction ID: 4160da3b6d626ddce739c3444a0f1240683e91d958addafd918ba753c42bd866
Opcode Fuzzy Hash: a0a8dd057a3edd99d81c370bddd27eb3a86eda0b3175e711028ec1538b739700
Instruction Fuzzy Hash: 911356B5A20300DFD724EF62FD867AD3BB0FB95301B114119E942A72B5EBB089A5DF41

Function 00BF7FA0 Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 990
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00C70FB0), ref: 00BF808B
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00BF81E4
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00BF8408
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00BF8433
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00BF84CC
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF85D1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00BF896A
CreateDirectoryA.KERNEL32(?,00000000), ref: 00BF8A1A

Part of subcall function 00C10CF0: wvsprintfA.USER32(00001237,01340C30,01343EC8), ref: 00C10D77

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00BF8C2E

Part of subcall function 00C12260: lstrlen.KERNEL32(?,?,00BF7614,?,?,C:\vdjmzgowdzhfmld\,?,?,00BF17C4,?), ref: 00C12283

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00BF8DEE
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00BF8F47
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00BF90F7

Strings

\, xrefs: 00BF8CD5
C:\vdjmzgowdzhfmld\, xrefs: 00BF850F, 00BF899C, 00BF8D95, 00BF8F5E
C:\Users\user, xrefs: 00BF87D1, 00BF886D

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionlstrlenwvsprintf
String ID: C:\Users\user$C:\vdjmzgowdzhfmld\$\
API String ID: 2935959199-2236001584
Opcode ID: 51e01d8edea8db1fd07a0fd6427dd99a4ed96a4bd55c96719f24a9bf487e6d41
Instruction ID: fb02a3ad059454ffffb7a51e68e5173ec975405b4588a2ad0ac785817eee7757
Opcode Fuzzy Hash: 51e01d8edea8db1fd07a0fd6427dd99a4ed96a4bd55c96719f24a9bf487e6d41
Instruction Fuzzy Hash: 3A9269B5A10309DFD724AF22FC897BD3BB0FB94301B118195E642A31B5EBB049A9CF55

Function 00BF3740 Relevance: 7.7, APIs: 5, Instructions: 236
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,?,00000001), ref: 00BF38AD
FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00BF39A7
DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00BF3AB9
FindNextFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00BF3AD1
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00BF3AF2

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 7120acea61b3c390d973587e08509ca727e809f49b9643e48713479bc04e0ce2
Instruction ID: 40249f65682f0d600c5f39acb000f32bd1786fd8a78678d950ab17aa6c88546a
Opcode Fuzzy Hash: 7120acea61b3c390d973587e08509ca727e809f49b9643e48713479bc04e0ce2
Instruction Fuzzy Hash: 65A10075520208CBC328DF26FC967BD3BF4FB84701B15415AE582D72B5EBB08AA5CB81

Function 00C11510 Relevance: 3.1, APIs: 2, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00BF80AE,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00BF80AE), ref: 00C11592
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00C1163E

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: 7512ff7c3fc42728c3f7a4739a52c0689242021e361e70dc35201e1389658b88
Instruction ID: 31e8c1ec7aa67203e54958baacf41ca0214e3176136e2082a0ac10c6e7cc5367
Opcode Fuzzy Hash: 7512ff7c3fc42728c3f7a4739a52c0689242021e361e70dc35201e1389658b88
Instruction Fuzzy Hash: 3841DDB6A01344EFCB248FA6FD88BAC7B74FB55301B548599E841A3279DBB005A9DF10

Function 00C259B0 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00C0FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C259C3
RtlFreeHeap.NTDLL(00000000,?,00C0FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C259CA

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0773b2728ccb1f07552f02e95f3ff19ea1276f7048b0de6caf5129563be13a6f
Instruction ID: 1c637abdd257c1b37a70f7f4d64e18a9b13e0c24690d5910a548ba4e5ae801bd
Opcode Fuzzy Hash: 0773b2728ccb1f07552f02e95f3ff19ea1276f7048b0de6caf5129563be13a6f
Instruction Fuzzy Hash: 4BD012B00593489FC7605FAAEC49B1E3BACEF18616F054140F54BCA570C7716851CF65

Function 00C0B38E Relevance: 1.8, Strings: 1, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`14, xrefs: 00C0BED3

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: `14
API String ID: 0-772651746
Opcode ID: 2244dc844f465b4dd24b8c22ffbf1c455db685accc810ab155cdcca9c1cbd8d9
Instruction ID: 926df0abe0fc7b37fa3232b8f741ba964b6bbed56d5859c0eacd947c6d11cc80
Opcode Fuzzy Hash: 2244dc844f465b4dd24b8c22ffbf1c455db685accc810ab155cdcca9c1cbd8d9
Instruction Fuzzy Hash: 3A52E37AA21701CFC368DF26FD8932D3BB0FB95311312451AD482E26B4E7B589A6CF45

Function 00BFB1D0 Relevance: 10.8, APIs: 7, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BFB2EE
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00BFB326
CloseHandle.KERNELBASE(00000000), ref: 00BFB33F
GetTickCount.KERNEL32 ref: 00BFB37C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00BFB558
WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00BFB5AB
CloseHandle.KERNEL32(00000000), ref: 00BFB5BC

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 1b6dfeb672cb1ebf73d979c6c7bb814ec96ec2410e506ef3ba7d36fe45ef986b
Instruction ID: 253fa340f2bc8250de0a3d344d4d4ee2a01c8d419b3bf469aa19353faf05735b
Opcode Fuzzy Hash: 1b6dfeb672cb1ebf73d979c6c7bb814ec96ec2410e506ef3ba7d36fe45ef986b
Instruction Fuzzy Hash: BEB12271A20304EFD318AF25FD86B7E3BB4FB95301F104019E941AB2B1E7B09956CB96

Function 00C05EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00001237,01340C30,00000000,00000000,00000000,00000008,00000000,00000000,00000044,01343EC8), ref: 00C0602B
CloseHandle.KERNEL32(01340C30), ref: 00C06043
CloseHandle.KERNEL32(01343EC8), ref: 00C06072

Strings

D, xrefs: 00C05FB1

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: b3e3c6bb3c177e7535d8ba70b173200f950d11140ecb91b4ca97e7bde4432392
Instruction ID: 30fbc050b53d78573be97f4e12674d9321135bff903cb324f3c18f8539e6400b
Opcode Fuzzy Hash: b3e3c6bb3c177e7535d8ba70b173200f950d11140ecb91b4ca97e7bde4432392
Instruction Fuzzy Hash: AD51DF766107058BC708CF64ED92BBE77B4F754702F14802DE902DB6B4E7B89946CB41

Function 00C156A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00C08C4F,02053FC0,?,?,?,?,00C155F4), ref: 00C156EE
RtlAllocateHeap.NTDLL(00000000,?,00C08C4F,02053FC0,?,?,?,?,00C155F4), ref: 00C156F5

Strings

|Q.H, xrefs: 00C156C8

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: |Q.H
API String ID: 1357844191-517162033
Opcode ID: 5c7221fbba674fbf80832f3cb65b18a286dc952800e0a684e3a3094fd4c1fc57
Instruction ID: 8e9fa80c663960d53631bc72652b00b9dd0c674fa8beafb7cb04d7c7eb844a0c
Opcode Fuzzy Hash: 5c7221fbba674fbf80832f3cb65b18a286dc952800e0a684e3a3094fd4c1fc57
Instruction Fuzzy Hash: 10E0223422974BEFD7108F98FCC8BAE3B34F349B227014100F006CB630CA7894888761

Function 00BF70D0 Relevance: 4.8, APIs: 3, Instructions: 285
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C18570: WaitForSingleObject.KERNEL32(?,00004E20,?,00BF264E,0000012C,00000000,00000001,?,?,00C11B87,00BF17D5,?), ref: 00C185D7

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 00BF71F7
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 00BF740F

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: File$CreateObjectSingleWaitWrite
String ID:
API String ID: 3285871581-0
Opcode ID: d0536542099db2f2e2c9b1a97caf2bd526bd7ef2edc850f992025cad4bc451a5
Instruction ID: b2d9e33da8c1b905125655352bd302bb30a4616d204187932b8efd7c3e9b1ea0
Opcode Fuzzy Hash: d0536542099db2f2e2c9b1a97caf2bd526bd7ef2edc850f992025cad4bc451a5
Instruction Fuzzy Hash: 91C146B6A24304DFD714DF22FC8576D37B4F798302B2140A9E546A72B4EBB098A4CF85

Function 00BF7309 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 00BF740F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7525

Part of subcall function 00C12290: ReleaseMutex.KERNEL32(00BF2A8B,?,00BF2A8B,0000012C), ref: 00C122E7

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: ee7a1efcca7091ccf1409aba58e91e8dc69a978e6616e101758e8399ba26520f
Instruction ID: 7830469f91869466a87b9281492b87e5768f0729efbaf6f7ec41ff06fce401bc
Opcode Fuzzy Hash: ee7a1efcca7091ccf1409aba58e91e8dc69a978e6616e101758e8399ba26520f
Instruction Fuzzy Hash: 185142B6E20204CFC724DF25FD8476D3BB5F784302B214096E546A72B8EB7099A4CF86

Function 00BF7307 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 00BF740F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7525

Part of subcall function 00C12290: ReleaseMutex.KERNEL32(00BF2A8B,?,00BF2A8B,0000012C), ref: 00C122E7

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: d1208bad1c694483ed41cc8e3531caf80a9ed030b94e12b6de7d9653501897d4
Instruction ID: 77aa597bfe3e37b7c07764c1164ba406909e6ad48d4435e9c6d0d1b8f59950fd
Opcode Fuzzy Hash: d1208bad1c694483ed41cc8e3531caf80a9ed030b94e12b6de7d9653501897d4
Instruction Fuzzy Hash: C15142B6E20204CFC714DF25FD8076D3BB5F788302B214096E546A72B8EB7099A4CF86

Function 00C15535 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C16BE0: GetStdHandle.KERNEL32(000000F6,?,?,00C15560), ref: 00C16C12
Part of subcall function 00C16BE0: GetStdHandle.KERNEL32(000000F5,?,?,00C15560), ref: 00C16C6A
Part of subcall function 00C16BE0: GetStdHandle.KERNEL32(000000F4,?,?,00C15560), ref: 00C16D53

ExitProcess.KERNEL32 ref: 00C1561B

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: 16664b9356ebcbe17e90ab9cc8b0a5dc8df9b7094310fecc0d7ed9ff3f25bb71
Instruction ID: f1dabdfdd938d3d678bbbdb0145716257790c527e0164afc8cc359ca9eda4a95
Opcode Fuzzy Hash: 16664b9356ebcbe17e90ab9cc8b0a5dc8df9b7094310fecc0d7ed9ff3f25bb71
Instruction Fuzzy Hash: 63113A76A21640DFDB20AF30FDC635D37A9F75434231A8025E442DBA75EB74C8A6EB40

Function 00BFC9B0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00BFC9E8

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 97be10f4724d18517a40d7ab6435811f4045bb8f2232046c670630362763bd9d
Instruction ID: f6aa1dc37b10d588cf0968ec1f55dfff1dfbaf8a5c6436ebe7221d6bba059282
Opcode Fuzzy Hash: 97be10f4724d18517a40d7ab6435811f4045bb8f2232046c670630362763bd9d
Instruction Fuzzy Hash: 25E0BDB8220308CFC308AF66FC8572D3B68FB847403118019E84986231C7B4A891CF9A

Function 00C18A10 Relevance: 1.3, APIs: 1, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,00000000,?,00BF220B,?,?,?), ref: 00C18A81

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: ef62fd1eef6d43a3f293f653f5f0d8671c7b9fd3c66e1e0a9bc63a9729561e17
Instruction ID: 74a798cadbb8d5c71075d8b6093d71990d44676f20109389e8161736b8c11736
Opcode Fuzzy Hash: ef62fd1eef6d43a3f293f653f5f0d8671c7b9fd3c66e1e0a9bc63a9729561e17
Instruction Fuzzy Hash: C5210875915614DFD328DFA4FC993BD3BB4F389321311442AE596D25B4EB7048E2CB41

Non-executed Functions

Function 00C06C30 Relevance: 25.7, APIs: 10, Strings: 4, Instructions: 1156COMMON

Download Yara Rule

Strings

~~w, xrefs: 00C06DA1
]:8, xrefs: 00C070AD
y.n, xrefs: 00C07C9C
/, xrefs: 00C06F31

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: /$]:8$y.n$~~w
API String ID: 0-3013001717
Opcode ID: 667471cea8b12353f5263317a08338f57d8c63b4fa725f35745e84b38830f532
Instruction ID: 6de679da8af8c0f89ba34d2eccccd47b2bdcf93651f95d30d0c4479ffeb9e008
Opcode Fuzzy Hash: 667471cea8b12353f5263317a08338f57d8c63b4fa725f35745e84b38830f532
Instruction Fuzzy Hash: 6FA23275A20205CFD728EF62FC867AD3BB4FB94301F114129E546922F4EBB059A6CF52

Function 00C236D0 Relevance: 21.8, APIs: 11, Strings: 1, Instructions: 814memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,00C00E0A,?), ref: 00C23945
LoadLibraryA.KERNEL32(00000000,?,00000001,?,?,?,?,?,00000000), ref: 00C23A07
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C23AF2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00C23B50
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,00000001), ref: 00C23BF7
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00C23C42
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00C23D56
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,00000001), ref: 00C23D94
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00C23E0E
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00C244A5
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00C244CF

Strings

V\v(, xrefs: 00C24086

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Free$HeapLibrary$Alloc$AddressLoadProcProcess
String ID: V\v(
API String ID: 1560921867-3864276540
Opcode ID: 537af3ba1f29c2c73961214c682c67129ca31ef166f60ab465daa5e9f0d19685
Instruction ID: 93204e78ea15450f69247a08eae6ccea4c87a99a2349948d78e902916f3ff342
Opcode Fuzzy Hash: 537af3ba1f29c2c73961214c682c67129ca31ef166f60ab465daa5e9f0d19685
Instruction Fuzzy Hash: 26722375A20210CFC728DF22FD8576D3BF5FB98311B11811AD882A7AB4E7B589A1DF41

Function 00C0D716 Relevance: 19.0, Strings: 14, Instructions: 1550COMMON

Download Yara Rule

Strings

x, xrefs: 00C0E102
d, xrefs: 00C0E3A7
p, xrefs: 00C0D866
awwr, xrefs: 00C0E5E8
p, xrefs: 00C0E35A
d, xrefs: 00C0E073
0, xrefs: 00C0E7E4
l, xrefs: 00C0E2FD
d, xrefs: 00C0D9D0
EsY, xrefs: 00C0EC30
%, xrefs: 00C0E269
X, xrefs: 00C0E107
o, xrefs: 00C0E7D7
l, xrefs: 00C0E2D5

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: wvsprintf
String ID: %$0$X$awwr$d$d$d$l$l$o$p$p$x$EsY
API String ID: 2795597889-1318961113
Opcode ID: e4cadbdb9dd4753b01b019446133b6fe479b15b6a3b9a564be004a29ca0de652
Instruction ID: 10b3b483bd300df71149f96864897075f760d92c6cd6ec9a1934b904a732149d
Opcode Fuzzy Hash: e4cadbdb9dd4753b01b019446133b6fe479b15b6a3b9a564be004a29ca0de652
Instruction Fuzzy Hash: 0AE224B5A20205CFD724DF66FD8936C3BB0F794301B25451AD482A36F8E7B189A6CF85

Function 00BF53B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00BF546E
CreateServiceA.ADVAPI32(00000000,01340BF0,01340BF0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00BF54BD
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00BF5503
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00BF5533
CloseServiceHandle.ADVAPI32(00000000), ref: 00BF5593
OpenServiceA.ADVAPI32(00000000,01340BF0,00000010), ref: 00BF55DE
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00BF566C
CloseServiceHandle.ADVAPI32(00000000), ref: 00BF567D
CloseServiceHandle.ADVAPI32(00000000), ref: 00BF56CC

Strings

|Sxz, xrefs: 00BF5442

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID: |Sxz
API String ID: 3525021261-962673421
Opcode ID: 366ec056588617d5c0774fda7aa584d762365987572e93efe40ab80549ecae2b
Instruction ID: 0578cb140e3c2aa8f6fcb965d0cb6c09cd5225ffc012bb880df7687473cf9476
Opcode Fuzzy Hash: 366ec056588617d5c0774fda7aa584d762365987572e93efe40ab80549ecae2b
Instruction Fuzzy Hash: C081EC71A21B04DFD324DF66FD8676E3BB4F794311F20401AEA42A76B4EBB05892CB45

Function 00C10250 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?,00000000), ref: 00C1035F
Process32First.KERNEL32(00000000,?), ref: 00C103DB

Strings

i*Vd, xrefs: 00C1039C

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: i*Vd
API String ID: 2353314856-4103011120
Opcode ID: dc069e7eb1bb4cb9ee265ab2b6ce57f114f4bde8235a1f1929c8fb9121beb4de
Instruction ID: df540d02ce379015dc6b0d3848fbf78fe17d0d9095b1c90fa34c69c68c12df83
Opcode Fuzzy Hash: dc069e7eb1bb4cb9ee265ab2b6ce57f114f4bde8235a1f1929c8fb9121beb4de
Instruction Fuzzy Hash: 2BA132B5A20704DBC324AF66FC957BD37B0F786311B204419D482A22B5FBB049E1DF95

Function 00C062D0 Relevance: 7.9, APIs: 5, Instructions: 424serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00C0643A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00C064AC
GetLastError.KERNEL32 ref: 00C064C1
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00C065D1
CloseServiceHandle.ADVAPI32(00000000), ref: 00C06829

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 42607d15a69203ce7b00e84c962c2fff7fb5eaac40152658b0389acafff990e1
Instruction ID: 56a1787d55011ca50ed484461fcea2bcccdb94dfdf5351c2726890ad42a293b1
Opcode Fuzzy Hash: 42607d15a69203ce7b00e84c962c2fff7fb5eaac40152658b0389acafff990e1
Instruction Fuzzy Hash: DB0257B6A10604DFC724DFA6FD897AD3BB0FB84311B214119D582A32B4EBB049B5CF85

Function 00C0D755 Relevance: 7.1, Strings: 5, Instructions: 822COMMON

Download Yara Rule

Strings

EsY, xrefs: 00C0EC30
p, xrefs: 00C0D866
d, xrefs: 00C0E073
o, xrefs: 00C0E7D7
0, xrefs: 00C0E7E4

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: 0$d$o$p$EsY
API String ID: 0-2256640996
Opcode ID: 7b25d58ad243bdbb0f7a2d6f08d22b7aa299422484f611f311914aad394b8449
Instruction ID: b878b1ac0622af7a07ce4776c6e77927ad96d9a976f82148575514ba9245f540
Opcode Fuzzy Hash: 7b25d58ad243bdbb0f7a2d6f08d22b7aa299422484f611f311914aad394b8449
Instruction Fuzzy Hash: 0682F3B5A20205CFC728DF66FD8936C7BB1F794301725452AC482A36B4E7B189A6CF85

Function 00C0D79A Relevance: 7.1, Strings: 5, Instructions: 818COMMON

Download Yara Rule

Strings

EsY, xrefs: 00C0EC30
p, xrefs: 00C0D866
d, xrefs: 00C0E073
o, xrefs: 00C0E7D7
0, xrefs: 00C0E7E4

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: 0$d$o$p$EsY
API String ID: 0-2256640996
Opcode ID: fec03c28b521dcbaf45f7e88eca1a7cd496cad78171b7d437ca01f42fa59c61b
Instruction ID: 5cb241e0367a6b47973e0964cb624aa3c55ba2a021a9bb53dba6bad54fa4a359
Opcode Fuzzy Hash: fec03c28b521dcbaf45f7e88eca1a7cd496cad78171b7d437ca01f42fa59c61b
Instruction Fuzzy Hash: D37204B5A20205CFC728DF66FD8936C7BB1F794301725452AC482A36B4E7B189A6CF85

Function 00C0D772 Relevance: 7.1, Strings: 5, Instructions: 817COMMON

Download Yara Rule

Strings

EsY, xrefs: 00C0EC30
p, xrefs: 00C0D866
d, xrefs: 00C0E073
o, xrefs: 00C0E7D7
0, xrefs: 00C0E7E4

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: 0$d$o$p$EsY
API String ID: 0-2256640996
Opcode ID: 2c3df417533cdf4d49acb0af61dfcd7d1fa638b4d2d7a64c17d48a60fc64c928
Instruction ID: 3dbd0c6a3c63f3a1b7032d8b1c2434b388877bdd9edb7c6bfa83006eb7d27402
Opcode Fuzzy Hash: 2c3df417533cdf4d49acb0af61dfcd7d1fa638b4d2d7a64c17d48a60fc64c928
Instruction Fuzzy Hash: B072F3B5A20205CFC728DF66FD8936C7BB1F794301725452AC482A36B4E7B189A6CF85

Function 00C0C2A0 Relevance: 6.7, Strings: 4, Instructions: 1665COMMON

Download Yara Rule

Strings

2oD, xrefs: 00C0D082
F~0, xrefs: 00C0D013
EsY, xrefs: 00C0EC30
l, xrefs: 00C0D1E3

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: 2oD$l$EsY$F~0
API String ID: 0-3995863994
Opcode ID: 6dfb203e9df3e0be67d8bb272f56878c664b55da3238af3718112da66fdde7e6
Instruction ID: 19dbf0c81ee350ee87ca7f348d1ebb0e9e8f7ccd834e44a789873fcd5b2d04ab
Opcode Fuzzy Hash: 6dfb203e9df3e0be67d8bb272f56878c664b55da3238af3718112da66fdde7e6
Instruction Fuzzy Hash: 0EF201B5A20301CFC728DF66FD8536C3BB1F795301721861AD482A76B9E7B489A2CF45

Function 00C0422D Relevance: 4.9, Strings: 3, Instructions: 1129COMMON

Download Yara Rule

Strings

e!Y, xrefs: 00C05600
P$`U, xrefs: 00C04CBB
c!N|, xrefs: 00C04CFE

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: P$`U$c!N|$e!Y
API String ID: 0-1342610667
Opcode ID: b07c055a20dfcf31da7296af8790ca366e45628c7069fe48f0b45361daf2bcc0
Instruction ID: dc60c7a425c973a825e2cd8a7f14e62380f090d2d77e415fab2ba0ff533c7faf
Opcode Fuzzy Hash: b07c055a20dfcf31da7296af8790ca366e45628c7069fe48f0b45361daf2bcc0
Instruction Fuzzy Hash: 98B2B9BAA20605CFC728DF66FD8536D3BB0FB58311316451AD842E76B0E7B099A1CF85

Function 00C20930 Relevance: 4.8, Strings: 3, Instructions: 1084COMMON

Download Yara Rule

Strings

p66, xrefs: 00C21723
U!qV, xrefs: 00C209F5
Ip!, xrefs: 00C21396

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: Ip!$U!qV$p66
API String ID: 0-2622703595
Opcode ID: 3691de3aadea2234ac167dfd0007afa7eb04ddbc622419a34951d2b928138cf2
Instruction ID: 9657c20a462dcabe8e225b63493dbf194728a6b9f8ff44d2eab9f26f63fe090b
Opcode Fuzzy Hash: 3691de3aadea2234ac167dfd0007afa7eb04ddbc622419a34951d2b928138cf2
Instruction Fuzzy Hash: B8A25375A10315CFCB24DF65FD817AE7BB1FB98310B25821AE802A76B4E7709995CF80

Function 00C248F0 Relevance: 4.7, Strings: 3, Instructions: 958COMMON

Download Yara Rule

Strings

#DK`, xrefs: 00C25673
=t, xrefs: 00C2555C
<n, xrefs: 00C25350

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: #DK`$<n$=t
API String ID: 0-4127147426
Opcode ID: f8ee4bfcedf3a88d8aa679b9ec178ac4259bbb59a93ee35af3d4aced1e3f829d
Instruction ID: 95b4da38e1c2562afcdaec1b444860b92bb8608973ba7c3a16e1c3e30107fb91
Opcode Fuzzy Hash: f8ee4bfcedf3a88d8aa679b9ec178ac4259bbb59a93ee35af3d4aced1e3f829d
Instruction Fuzzy Hash: C88266B5A20616DFCB24DF66FD85BBE37B4FB94300B104119E802A36B4E7709A95CF91

Function 00BF2AE0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 690sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000008AE), ref: 00BF35BC

Strings

m%X, xrefs: 00BF2C87

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Sleep
String ID: m%X
API String ID: 3472027048-509761171
Opcode ID: b0b1334b992858637970a7177adf1aa2a49cdb8241b2fec98b550a2f13594837
Instruction ID: af2d92a3651dd6cf5282e11b0c7d0b9c3afc3b2f9d11d6e2e577c652fc277e36
Opcode Fuzzy Hash: b0b1334b992858637970a7177adf1aa2a49cdb8241b2fec98b550a2f13594837
Instruction Fuzzy Hash: DD5232BAA20304DBC718DF65FD867AD3BF0FB44311B10415AD942A32B5EBB04AA9CF55

Function 00BF9820 Relevance: 3.7, APIs: 2, Instructions: 677threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00C14EB0,00000000,00000000,00000000), ref: 00BF9FA3
CloseHandle.KERNEL32(00000000), ref: 00BF9FD2

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: a8568396dbee1ac85a26eb6660c623dc601c1901e039dcdfd55119f91a97a69f
Instruction ID: 09e7445d651bbcbb0f9301bdb46f81807bb93a537d48b45b519a93179f2d310c
Opcode Fuzzy Hash: a8568396dbee1ac85a26eb6660c623dc601c1901e039dcdfd55119f91a97a69f
Instruction Fuzzy Hash: E75245B5A20204CFC728EF22FC8577D3BB5FB95301B118159E542A72B4EBB048A9CF56

Function 00BF7A90 Relevance: 3.1, APIs: 2, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00BF2C4A), ref: 00BF7AD5
__aulldiv.LIBCMT ref: 00BF7B08

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Time$FileSystem__aulldiv
String ID:
API String ID: 2838486344-0
Opcode ID: d1c4f8005d623f4ade9bc7d64ea50757f6dc90f707bf5d223fee46cdc7f040fd
Instruction ID: db24d3e5b108fc353ac503593e4b2d63ff3eb975cc08a1463302f57793554f33
Opcode Fuzzy Hash: d1c4f8005d623f4ade9bc7d64ea50757f6dc90f707bf5d223fee46cdc7f040fd
Instruction Fuzzy Hash: 1831337A965304CBC728CF55FCA137C77B1F78932672142AEE982A75B1EB744880DB80

Function 00C00950 Relevance: 2.2, APIs: 1, Instructions: 742COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00C00B3D

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 79f6e337a625998cc08c05b243ba0eb072be1f13afc7d1299ac6adacb108c050
Instruction ID: 2ec996019146181cc21f1d9ac69aa84220f17fa473dd6fea3f41551651c479d4
Opcode Fuzzy Hash: 79f6e337a625998cc08c05b243ba0eb072be1f13afc7d1299ac6adacb108c050
Instruction Fuzzy Hash: 61621075920209CFC728EF61FC96BAE37B4FB94301F10416AE542A31B5EBB05A99CF51

Function 00BFD1F0 Relevance: 2.0, Strings: 1, Instructions: 740COMMON

Download Yara Rule

Strings

h4_[, xrefs: 00BFDCB0

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: h4_[
API String ID: 0-1026458715
Opcode ID: 0a7755cf3a54b81aef33edc3692249846cdfbb9af46716364cd278fee9ad1713
Instruction ID: f6ad7e0a7fb38753c30888dece6e35c0658e76ca6dba5c59a6b08ecdf14b96e8
Opcode Fuzzy Hash: 0a7755cf3a54b81aef33edc3692249846cdfbb9af46716364cd278fee9ad1713
Instruction Fuzzy Hash: E86254B9920309DFC714EF62FC853BD3BB2F755301B11419AD682A72B5E7B148A9CB81

Function 00C0D243 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

EsY, xrefs: 00C0EC30

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: EsY
API String ID: 0-1269534008
Opcode ID: 21e8365e62cb137256c8e8be4e5d49c03d46a584db0074a31db3d00bfa15cc91
Instruction ID: 4090857effd2fcf3bcb261a7c9121746f3a9064faf76542d6ec0103823587ad1
Opcode Fuzzy Hash: 21e8365e62cb137256c8e8be4e5d49c03d46a584db0074a31db3d00bfa15cc91
Instruction Fuzzy Hash: E96245B5A20205CFC724DF66FD8936C3BB0F794301726451AD482A36F9E7B189A6CF85

Function 00C0D271 Relevance: 1.8, Strings: 1, Instructions: 515COMMON

Download Yara Rule

Strings

EsY, xrefs: 00C0EC30

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: EsY
API String ID: 0-1269534008
Opcode ID: 84eed14701b38500299ad53333b5cb5c2819326a4d236cd5e9ccbad50a699a6a
Instruction ID: 9cb127f024018c6e25504805679a4c1924579d9f3cdd1fd52bd59fd0471bfcc7
Opcode Fuzzy Hash: 84eed14701b38500299ad53333b5cb5c2819326a4d236cd5e9ccbad50a699a6a
Instruction Fuzzy Hash: 922246B5A20205CFC724DF66FD8936C3BB1F794301726451AC482A36B9E7B189E6CF85

Function 00BFD446 Relevance: 1.7, Strings: 1, Instructions: 472COMMON

Download Yara Rule

Strings

h4_[, xrefs: 00BFDCB0

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID: h4_[
API String ID: 0-1026458715
Opcode ID: cca4f423d092ee87d9a9a2410113de5337bbf1dcbe1f09183355c1e67b3352ef
Instruction ID: dadef20aad8e221b4166738d2e76afc47fb8f1864fd31d222bfe15ed32dfa22d
Opcode Fuzzy Hash: cca4f423d092ee87d9a9a2410113de5337bbf1dcbe1f09183355c1e67b3352ef
Instruction Fuzzy Hash: 2C225879920249CFDB24DF65FC953BC3BB2F751300B11819AD5829B2B5D7B1489ACB81

Function 00BF6430 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00BF645B

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: dcdb4e6f297f51de0b6517b5f6d6d4745529c7fcf9b1ecdd2adf0070fa552461
Instruction ID: 54602abd659dc53f2a2d0affa030ffbdb544956686069f7ebec779dad0bfac7b
Opcode Fuzzy Hash: dcdb4e6f297f51de0b6517b5f6d6d4745529c7fcf9b1ecdd2adf0070fa552461
Instruction Fuzzy Hash: C7E04FB2C24308EFC700DFA4EC443AEBBB4F704310B104999D90597210EB7046048F80

Function 00BFA6F0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e617e6cc4e0a9c2b849aafbf7c186f2dd9fc1670336c01bf3b223cd0249272
Instruction ID: bcb6cc3edf02fa5a47433234414cc9ad6c45b3db5a846503b6a92c9879969ba0
Opcode Fuzzy Hash: e3e617e6cc4e0a9c2b849aafbf7c186f2dd9fc1670336c01bf3b223cd0249272
Instruction Fuzzy Hash: 2D1217B9A20705CFC3289F2AFD8936C7BF1F794311322415AD485A36B4E77588A6CF45

Function 00C22170 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2352d65f8cf122124de965f7c4b3e41b1a19299537289aa25cde7788965ba8e2
Instruction ID: 961a579e4a3fd6bbd1171eee390a90acde3632ac81aff37598c2be8208a5d529
Opcode Fuzzy Hash: 2352d65f8cf122124de965f7c4b3e41b1a19299537289aa25cde7788965ba8e2
Instruction Fuzzy Hash: EF0288B2A10201EFC724EF66FC9576D3BB4F7943107214529E482E36B5EBB588A1CF94

Function 00C202F0 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f80ef365a11289e8dba648340ac6f81d86b5488ba985f4b148939ec09d2fdb
Instruction ID: 8b4bbcc4e3d4d4eb41c22c46eb5817d417c66cd9b62bb93602e543a168023aad
Opcode Fuzzy Hash: 59f80ef365a11289e8dba648340ac6f81d86b5488ba985f4b148939ec09d2fdb
Instruction Fuzzy Hash: 1BF11F76A20214CFC728DF6AFCA537C7BB1FB98311715812AD842A76B4D7B458A1CF84

Function 00C1F790 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3126145176e8d60153698f2e4cd09e682db078f9cde4eed1e6113c53ce8383
Instruction ID: beafa69cbf66b3259468f703e67b1c1218c9eaaaf4ea8ad1d4e535ae0b27caec
Opcode Fuzzy Hash: 2b3126145176e8d60153698f2e4cd09e682db078f9cde4eed1e6113c53ce8383
Instruction Fuzzy Hash: 73F11075A21604CFC328CF29FD853AD3BB0FBA9311715812AD882E73B5E7749896CB45

Function 00C10670 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0c4763e10318492db9cf3ad23cb8d6dde60628bad389a7772f8c5a436a364a
Instruction ID: e59cd07603c2d62cbc24634bb3442ed5524fb2b76c55508d15bf517789f258f3
Opcode Fuzzy Hash: ff0c4763e10318492db9cf3ad23cb8d6dde60628bad389a7772f8c5a436a364a
Instruction Fuzzy Hash: C7F1DE76A24305CFC7289F16FDA13AC37B0FB553153254019D882AB6B1E3B098E1EF85

Function 00BF45C0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b899653cc9ca3ca906e91ecbe3f779f50218a15a8aba1c3f52140627953608b
Instruction ID: 8e50c01eb0b3a4cfb9012e8e5f50f28cc28545315449e454bee96f713a53a7ad
Opcode Fuzzy Hash: 7b899653cc9ca3ca906e91ecbe3f779f50218a15a8aba1c3f52140627953608b
Instruction Fuzzy Hash: E4D14276A21705CFC318DF26FC8537E3BB0F795311711815AE882976B5EBB488A6CB44

Function 00C13860 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c96d310060bf5972bfac0d539955d385eb0c093c604d593c3b568b5aa90525
Instruction ID: aa14b8a9097b3332d73a0d669884d45ae8a3c4fb56ce7139b4ed886ed5efad55
Opcode Fuzzy Hash: f8c96d310060bf5972bfac0d539955d385eb0c093c604d593c3b568b5aa90525
Instruction Fuzzy Hash: BAB10172A20254DFD724CF65FC81BAD33B5FB49314F108546E806EB2B8E7709A91DB81

Function 00C15710 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990ce5240aa6c3e68fa078b31abd9ac2801abf7540429e814feaad908ca120a
Instruction ID: 65c52c3de87474e0d25de138af316d9257c4f111359d5d8d6bf15af628836115
Opcode Fuzzy Hash: a990ce5240aa6c3e68fa078b31abd9ac2801abf7540429e814feaad908ca120a
Instruction Fuzzy Hash: 4E912076920B11CFC720CF2AEC8176D77B2FBD9321715822AD81597678E770A982DF80

Function 00BFCA00 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 426pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BFCB8A
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00BFCBD0
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BFCC2C
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00BFCCA8
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 00BFCE0D
CloseHandle.KERNEL32(?), ref: 00BFCE48
CloseHandle.KERNEL32(?), ref: 00BFCE70
CloseHandle.KERNEL32(?), ref: 00BFCEA0
CloseHandle.KERNEL32(?), ref: 00BFCEB8
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00BFCFA0
CloseHandle.KERNEL32(?), ref: 00BFCFD3
CloseHandle.KERNEL32(?), ref: 00BFCFEE
WaitForSingleObject.KERNEL32(?,00002710), ref: 00BFD09F
CloseHandle.KERNEL32(?), ref: 00BFD0B3
CloseHandle.KERNEL32(?), ref: 00BFD0EB

Strings

D, xrefs: 00BFCCEF
S')G, xrefs: 00BFCC05

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: D$S')G
API String ID: 1130065513-1494146028
Opcode ID: 8ce571f228c91cd63af2bf9509db15acb6ed64063aadfc748cd881dc4351ecf0
Instruction ID: 43019fce3c89ddf13727d321caf042a700f0f62c10eeb46bd40fca8b63319cd8
Opcode Fuzzy Hash: 8ce571f228c91cd63af2bf9509db15acb6ed64063aadfc748cd881dc4351ecf0
Instruction Fuzzy Hash: C60234B5A20208DFD728DF62FD897BD3BB5FB88300B114119E542A72B4E7B088A5CF45

Function 00C13F70 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 383processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C140AF
Process32First.KERNEL32(00000000,?), ref: 00C14187
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00C143B2
Module32First.KERNEL32(00000000,?), ref: 00C143F6
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 00C1454D
Process32Next.KERNEL32(?,00000128), ref: 00C14584
CloseHandle.KERNEL32(00000000), ref: 00C145FA

Strings

"L=/, xrefs: 00C141BA

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID: "L=/
API String ID: 930127669-2479274474
Opcode ID: a3c7bad049133850e5afc5279223dfb29d9f79fffab9e5846c510d5e16e74a35
Instruction ID: d966f84a6dcf4fe8d9e555c63b0d819aaad701f9f63e7598a4d8270514ba1697
Opcode Fuzzy Hash: a3c7bad049133850e5afc5279223dfb29d9f79fffab9e5846c510d5e16e74a35
Instruction Fuzzy Hash: 17F175B5A20200DFD728EF62FD897AC3BB4F795311B114159E482A72B4EBB149A1DF81

Function 00BF6000 Relevance: 12.2, APIs: 8, Instructions: 208registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(01340BF0,Function_00001140), ref: 00BF611E
SetServiceStatus.ADVAPI32(00000000,00C59C20), ref: 00BF617F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BF6193
SetServiceStatus.ADVAPI32(00000000,00C59C20), ref: 00BF6200
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00BF626C
SetServiceStatus.ADVAPI32(00000000,00C59C20), ref: 00BF6322
CloseHandle.KERNEL32(00000000), ref: 00BF6341
SetServiceStatus.ADVAPI32(00000000,00C59C20), ref: 00BF63F1

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 8b4ea49959745ae26e162c7ed565d50dd949b5a28f2a71d5f7193eaf9b8a6a12
Instruction ID: 65dc2cb8d1d10e26c4dfd6912fa26ece76d435ac85d7a9efc162b9aa077c84d7
Opcode Fuzzy Hash: 8b4ea49959745ae26e162c7ed565d50dd949b5a28f2a71d5f7193eaf9b8a6a12
Instruction Fuzzy Hash: 39A197B9621300CFC354CF26FD9A76C3BB4F798322714845AE582976B0DBB09894CF09

Function 00BF1FE0 Relevance: 10.8, APIs: 7, Instructions: 255processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001), ref: 00BF204F
Process32First.KERNEL32(00000000,00000128), ref: 00BF2159
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BF224D

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 2c6e82d00f435b18cc054b8d8d3129590b0a3e983787aa8b18b5ae7e068ccdca
Instruction ID: a6d44ad5920059e643507b51169874c58275c6974e8465e31acc61d02757a73e
Opcode Fuzzy Hash: 2c6e82d00f435b18cc054b8d8d3129590b0a3e983787aa8b18b5ae7e068ccdca
Instruction Fuzzy Hash: DBB146B6A20709CFD7289F21FD8977D3BB4F750301B21015AE642A72B4E77149A5CF84

Function 00C14990 Relevance: 9.2, APIs: 6, Instructions: 177filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00C14A04
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00C14A4E
CloseHandle.KERNEL32(00000000), ref: 00C14A6B

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f0b158c08a4d8671d74bdf4b8124b7a23bd83d166e0c023af4035fafd7d76dd1
Instruction ID: 1fc96fd989147828fbbad9b3995f1267e6e78dff2a02c7895067b341aafa1fef
Opcode Fuzzy Hash: f0b158c08a4d8671d74bdf4b8124b7a23bd83d166e0c023af4035fafd7d76dd1
Instruction Fuzzy Hash: 2161F036A10304CFD724CF66FD8576EB7B8FB88721B11826AE806D66B0D7B09891DB45

Function 00C18650 Relevance: 7.6, APIs: 5, Instructions: 99synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,00BF9ED1,00C10DB0,00000001,?), ref: 00C1873E
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 00C1876D
CloseHandle.KERNEL32(00000000,?,00BF9ED1,00C10DB0,00000001,?), ref: 00C1877E
WaitForSingleObject.KERNEL32(?,000000FF,?,00BF9ED1,00C10DB0,00000001,?), ref: 00C18793
CloseHandle.KERNEL32(?,?,000000FF,?,00BF9ED1,00C10DB0,00000001,?), ref: 00C187B7

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: e8dd40db425fd61b47f178c08ff49398ae7e49ab57b51faf6c653a227007fb09
Instruction ID: 305b92747a94ac652fd1eebbca10fe9c90d01c7f0a5bbc0abdd69b59532dac32
Opcode Fuzzy Hash: e8dd40db425fd61b47f178c08ff49398ae7e49ab57b51faf6c653a227007fb09
Instruction Fuzzy Hash: DA41F5B5610705EFC710AF26FD4879C3BB0F798351F264409E985A72B5EBB184A4CF85

Function 00C126B0 Relevance: 6.3, APIs: 4, Instructions: 281fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C12807
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00C128C5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00C129CC

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 28be9b900ab53981fe1c58554c3c954d36c5d0bdbd413929a4be7dbebfde0077
Instruction ID: fe21dc3173194dbe9c4b70d0dc1382fe47e4e782dd3b9f024a3da6c1391ebaca
Opcode Fuzzy Hash: 28be9b900ab53981fe1c58554c3c954d36c5d0bdbd413929a4be7dbebfde0077
Instruction Fuzzy Hash: B2B112B9620600DFD728DF25FC867AD37B0F789301F10441AE542A62F4EB7499A2DF85

Function 00C13790 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00C0FAC0,00000000,?), ref: 00C1381D
RtlReAllocateHeap.NTDLL(00000000,?,00C0FAC0,00000000), ref: 00C13824
GetProcessHeap.KERNEL32(00000000,?,?,00C0FAC0,00000000,?), ref: 00C13842
HeapAlloc.KERNEL32(00000000,?,00C0FAC0,00000000,?), ref: 00C13849

Memory Dump Source

Source File: 00000001.00000002.1309467185.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000001.00000002.1309449210.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309500630.0000000000C27000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309519204.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309618089.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bf0000_YiqjcLlhew.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: bad54d72cad044d65ae53c01f3a2564b83843ed264f2db6bb440e2a210b68a06
Instruction ID: 37f4bbff92cfa249606f659503cd641559fe63d068e098d6a6ec8850fcf24b72
Opcode Fuzzy Hash: bad54d72cad044d65ae53c01f3a2564b83843ed264f2db6bb440e2a210b68a06
Instruction Fuzzy Hash: 1E116BB6A14744DFD714AFA0FDA8BBE3BB8F7453007010005F046869B0EB7189A1EF66

Analysis Process: kfdag3t9jukjqfngi9xbw.exePID: 6028, Parent PID: 3712COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	1697
Total number of Limit Nodes:	43

Executed Functions

Function 0030D0EB Relevance: 61.7, APIs: 29, Strings: 5, Instructions: 2186synchronizationsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003159B0: GetProcessHeap.KERNEL32(00000000,00000000,?,002FFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003159C3
Part of subcall function 003159B0: RtlFreeHeap.NTDLL(00000000,?,002FFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003159CA

Part of subcall function 00314650: GetSystemTime.KERNEL32(J,.,00000001,?,?,002E2C4A), ref: 0031473C

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 0030D651
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0030D721
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0030D76D
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0030D7A4
GetTickCount.KERNEL32 ref: 0030D82E
Sleep.KERNEL32(00000D05), ref: 0030DE9B
Sleep.KERNEL32(000003E8), ref: 0030E039
GetCommandLineA.KERNEL32 ref: 0030D9EB

Part of subcall function 002EC9B0: ExitProcess.KERNEL32 ref: 002EC9E8

Part of subcall function 00304990: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00304A04

Strings

U"Kd, xrefs: 0030F765
C:\Users\user, xrefs: 0030D642
Qt$[, xrefs: 0030F2C5
l, xrefs: 0030E388
C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe, xrefs: 0030EBDA, 0030EC03, 0030F21F, 0030F24E, 0030F2AE, 0030F606

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Create$Mutex$HeapProcessSleep$CommandCountEnvironmentExitFileFreeLineSystemTickTimeVariable
String ID: C:\Users\user$C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe$Qt$[$U"Kd$l
API String ID: 2753435600-3294579655
Opcode ID: 0b5baf211f93e55788f47c16d43d32c62a48c936e2605fd2b15e94cae45ccb46
Instruction ID: 75d6e9c913c4d290fc2942c007a582d6471fd5dbbe97bf81eeb7ad4e29cfedd0
Opcode Fuzzy Hash: 0b5baf211f93e55788f47c16d43d32c62a48c936e2605fd2b15e94cae45ccb46
Instruction Fuzzy Hash: 451312B5A01300DFD71BEF21FD966663BBCF789302F11851AD4429A2B5EB7099A2CF41

Function 002E7FA0 Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 990
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00360FB0), ref: 002E808B
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 002E81E4
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 002E8408
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 002E8433
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 002E84CC
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002E85D1
CreateDirectoryA.KERNEL32(?,00000000), ref: 002E896A
CreateDirectoryA.KERNEL32(?,00000000), ref: 002E8A1A

Part of subcall function 00300CF0: wvsprintfA.USER32(00001237,00DF0608,00DF0840), ref: 00300D77

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 002E8C2E

Part of subcall function 00302260: lstrlen.KERNEL32(?,?,002E7614,?,?,C:\vdjmzgowdzhfmld\,?,?,002E17C4,?), ref: 00302283

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 002E8DEE
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 002E8F47
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 002E90F7

Strings

C:\Users\user, xrefs: 002E87D1, 002E886D
\, xrefs: 002E8CD5
C:\vdjmzgowdzhfmld\, xrefs: 002E850F, 002E899C, 002E8D95, 002E8F5E

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionlstrlenwvsprintf
String ID: C:\Users\user$C:\vdjmzgowdzhfmld\$\
API String ID: 2935959199-2236001584
Opcode ID: 31c1a4f809b253d840a96db3413056ac55c9434fb8e682e9f4a8b6a61e3b856d
Instruction ID: d73152af6e1406b10ff8150d0f760346e6cb296cc59cfe095e1daeb54a6f4702
Opcode Fuzzy Hash: 31c1a4f809b253d840a96db3413056ac55c9434fb8e682e9f4a8b6a61e3b856d
Instruction Fuzzy Hash: 889298B5A50305CFD717EF21FD8A6A53BBCFB88301F418069E582961B5EB3059A6CF81

Function 003136D0 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 814
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,002F0E0A,?), ref: 00313945
LoadLibraryA.KERNELBASE(00000000,?,00000001,?,?,?,?,?,00000000), ref: 00313A07
GetProcAddress.KERNEL32(00000000,00000000), ref: 00313AF2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00313B50
RtlAllocateHeap.NTDLL(?,00000000,00000288,?,?,?,?,?,?,?,00000001), ref: 00313BF7
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00313C42
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00313C72
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 00313D56
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,00000001), ref: 00313D94
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00313E0E
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 00313EA4
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 003144A5
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 003144CF

Strings

V\v(, xrefs: 00314086

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Free$HeapLibrary$AdaptersInfo$AddressAllocAllocateLoadProcProcess
String ID: V\v(
API String ID: 3577610392-3864276540
Opcode ID: 73545a601d689d8030783bb72b58b5bb88d66025963483925c1d1a410c0eddb9
Instruction ID: a33b33529fadc02735ed1ae3342bfc389592fe325f5f0bd934a60def8c89c63c
Opcode Fuzzy Hash: 73545a601d689d8030783bb72b58b5bb88d66025963483925c1d1a410c0eddb9
Instruction Fuzzy Hash: 27722175A11300CFC71BDF21FD862A53BBDFB99312F12851AD4429A2B4EB7199A2CF41

Function 002E53B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 002E546E
CreateServiceA.ADVAPI32(00000000,00DF05C8,00DF05C8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002E54BD
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 002E5503
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 002E5533
CloseServiceHandle.ADVAPI32(00000000), ref: 002E5593
OpenServiceA.ADVAPI32(00000000,00DF05C8,00000010), ref: 002E55DE
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 002E566C
CloseServiceHandle.ADVAPI32(00000000), ref: 002E567D
CloseServiceHandle.ADVAPI32(00000000), ref: 002E56CC

Strings

|Sxz, xrefs: 002E5442

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID: |Sxz
API String ID: 3525021261-962673421
Opcode ID: e8e5eb818ad91a5f84202f5dd5e5f5a6cc2e89f92e6602b58fdb3dbf2b97bc8d
Instruction ID: 1b835ebabce9095e92670864074dfd8132b05dbafedb60ce9335f15590de594b
Opcode Fuzzy Hash: e8e5eb818ad91a5f84202f5dd5e5f5a6cc2e89f92e6602b58fdb3dbf2b97bc8d
Instruction Fuzzy Hash: 08812135A11711DFD32BCF25FD867663BBCF799702F51801AE8419A2B4EB705862CB81

Function 002F0950 Relevance: 2.2, APIs: 1, Instructions: 742COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 002F0B3D

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 793cbebcf84db4bc549fe6f5fc3bacdbd602e01c140ef49c401fb57b721c0f4e
Instruction ID: 69b28c7bb5db19ce245496eb95594f132b16687d34b347b8cf8c3e554cbe9e07
Opcode Fuzzy Hash: 793cbebcf84db4bc549fe6f5fc3bacdbd602e01c140ef49c401fb57b721c0f4e
Instruction Fuzzy Hash: 53623175920204CFC71AEF21FC96AAA77BCFB58301F50802AE542971B1EF306AA5CF51

Function 002F5EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00001237,00DF0608,00000000,00000000,00000000,00000008,00000000,00000000,00000044,00DF0840), ref: 002F602B
CloseHandle.KERNEL32(00DF0608), ref: 002F6043
CloseHandle.KERNEL32(00DF0840), ref: 002F6072

Strings

D, xrefs: 002F5FB1

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: dc1e199f4b5e5ad24f1af87b6902c928dcf14bb67f37c170501a5000160137fd
Instruction ID: c19cf3a10611b6df9dd37fe981297fd0854b1935bb7ee3c14c6e3581e0cd6348
Opcode Fuzzy Hash: dc1e199f4b5e5ad24f1af87b6902c928dcf14bb67f37c170501a5000160137fd
Instruction Fuzzy Hash: EC51F3796002058BC71ACF24FD92BBAB3BCF759701F14852EE906CB6B4EB78A545CB41

Function 003026B0 Relevance: 6.3, APIs: 4, Instructions: 281
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00302807
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 003028C5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 003029CC

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: a07c8b2d7d8c58005599297cb90f263289efb0549ffe29455de528db6dbf1f8d
Instruction ID: 8c8f8cfdeca266115580fc16af3ac2710922f74cccc255aa7126a771b7348caa
Opcode Fuzzy Hash: a07c8b2d7d8c58005599297cb90f263289efb0549ffe29455de528db6dbf1f8d
Instruction Fuzzy Hash: DBB11479A01604DFD71BDF24FC9666677BCF789301F11841EE4029A2B4EB74A962CF84

Function 002E2510 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 326
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76850000,00000000), ref: 002E272B
GetProcAddress.KERNEL32(76850000,00000000), ref: 002E27B0

Strings

%Uj*, xrefs: 002E271B

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: AddressProc
String ID: %Uj*
API String ID: 190572456-2557879984
Opcode ID: 179879c7c20ae0fcd09212fb66e01fa2c82d8878c8f7c82f1af545be8149c633
Instruction ID: 65fe23b58f7a930b784d798e8307d42456555d8e50ec432f8e71d3cc7f36e9c7
Opcode Fuzzy Hash: 179879c7c20ae0fcd09212fb66e01fa2c82d8878c8f7c82f1af545be8149c633
Instruction Fuzzy Hash: 2DD13CB5A20745CFC317EF25FD896613BBCFB89342F918519E442862B8EB7498B5CB40

Function 003056A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,002F8C4F,02053FC0,?,?,?,?,003055F4), ref: 003056EE
RtlAllocateHeap.NTDLL(00000000,?,002F8C4F,02053FC0,?,?,?,?,003055F4), ref: 003056F5

Strings

|Q.H, xrefs: 003056C8

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: |Q.H
API String ID: 1357844191-517162033
Opcode ID: dd9322fb882716ebf21feb3259f7a088a80868475d34eaaeb2e64ddde671e3b6
Instruction ID: ef87eabf641e61d3536662ba81da32e0aa24be365009810e94f035cb855a7592
Opcode Fuzzy Hash: dd9322fb882716ebf21feb3259f7a088a80868475d34eaaeb2e64ddde671e3b6
Instruction Fuzzy Hash: 20E0ED3000974AEFD7068F98ECC86AA3B3CF30CB12F014004E006DB1B0CA3A94518B21

Function 002E70D0 Relevance: 4.8, APIs: 3, Instructions: 285
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00308570: WaitForSingleObject.KERNEL32(?,00004E20,?,002E264E,0000012C,00000000,00000001,?,?,00301B87,002E17D5,?), ref: 003085D7

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 002E71F7
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 002E740F

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: File$CreateObjectSingleWaitWrite
String ID:
API String ID: 3285871581-0
Opcode ID: 8248e704289557402561fa1a0173f4399141ebe3723af96522267060a99a422b
Instruction ID: b77a73efd017d9b90a7288e4982d8371b15d2b63ed9e77d5a6eb6abb99cc76b1
Opcode Fuzzy Hash: 8248e704289557402561fa1a0173f4399141ebe3723af96522267060a99a422b
Instruction Fuzzy Hash: 21C11176A11301CFD717DF22FD8566277BCF759302F618459E8468A2B4EB30A9A2CF81

Function 002E7309 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 002E740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002E7525

Part of subcall function 00302290: ReleaseMutex.KERNEL32(002E2A8B,?,002E2A8B,0000012C), ref: 003022E7

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: c43011fb113d5f5990799ca8da298d4ece6049d4dff3fde1dd388c65e8e8429d
Instruction ID: fa110f99dca4af97e1289f146145c65f274dd47cf67f00080676de14d8fe6190
Opcode Fuzzy Hash: c43011fb113d5f5990799ca8da298d4ece6049d4dff3fde1dd388c65e8e8429d
Instruction Fuzzy Hash: 99514276A10600CFC726DF25FD8066537BDF794302F62805AD4468B2B8EB3099A2CF81

Function 002E7307 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 002E740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002E7525

Part of subcall function 00302290: ReleaseMutex.KERNEL32(002E2A8B,?,002E2A8B,0000012C), ref: 003022E7

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 2971034fd697f2183182634ec3c8c3fd74ad1af502f2e22989970b34e52db49f
Instruction ID: 06908c4931a5f9f0904f361c9bf22c4ab62462089f6d253a35138b0972fd0c3a
Opcode Fuzzy Hash: 2971034fd697f2183182634ec3c8c3fd74ad1af502f2e22989970b34e52db49f
Instruction Fuzzy Hash: 26513376A11600CFC727DF25FD8066537BDF794302F62845AE4468B2B8EB3199A2CF81

Function 00301510 Relevance: 3.1, APIs: 2, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(002E80AE,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,002E80AE), ref: 00301592
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0030163E

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: e1122797dc24463de8c5702d94443937a39ab2eb3fe61ef522aa07a6bc852c34
Instruction ID: 6e662735fb41a481e5f71bfcfa53b3f213d8767c5f97ee27cb0485ea71b9a544
Opcode Fuzzy Hash: e1122797dc24463de8c5702d94443937a39ab2eb3fe61ef522aa07a6bc852c34
Instruction Fuzzy Hash: CC410EB2A02344EFCB078FA4FC999A87B7CFB15302F958489D882A7279DB301564CF50

Function 003159B0 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,002FFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003159C3
RtlFreeHeap.NTDLL(00000000,?,002FFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003159CA

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 33e0b1b3658076d0aeae8e19dc4abc20bb49cbbcdeee4c4433f66bf38332f29e
Instruction ID: f794b6a0c39be7925ebea5a9f1ab2fb4641d6f635c1772a513c163692a0086aa
Opcode Fuzzy Hash: 33e0b1b3658076d0aeae8e19dc4abc20bb49cbbcdeee4c4433f66bf38332f29e
Instruction Fuzzy Hash: B5D0C9700483449FC712ABA9EC09B563BACBB19716F058045F60A89170C73168918E64

Function 002F5770 Relevance: 1.7, APIs: 1, Instructions: 168fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 002F5933

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e5c921823f638c7feb38e2bec5e7ef6d7ee7d582779ef3f216b35bfb17a2f61
Instruction ID: 6bf35985b7f40b962f6f0fce15a5e4be227f099d092282b6fb1304121d069a88
Opcode Fuzzy Hash: 6e5c921823f638c7feb38e2bec5e7ef6d7ee7d582779ef3f216b35bfb17a2f61
Instruction Fuzzy Hash: 91714572911B19DFD72BAF20FC8A6A03BBCF758352F514419C242961B4EB3098A1CFC1

Function 00305535 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00306BE0: GetStdHandle.KERNEL32(000000F6,?,?,00305560), ref: 00306C12
Part of subcall function 00306BE0: GetStdHandle.KERNEL32(000000F5,?,?,00305560), ref: 00306C6A
Part of subcall function 00306BE0: GetStdHandle.KERNEL32(000000F4,?,?,00305560), ref: 00306D53

ExitProcess.KERNEL32 ref: 0030561B

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: 81ea4f5d6c6a28d8b51d8e07da2a6641706fcc9bb64dd6e8a0ce36fc2a6090c7
Instruction ID: d69ff8304270a4a7eb2f73d23dc456afea78f067c86b2c08ffcb45a623d9f6c6
Opcode Fuzzy Hash: 81ea4f5d6c6a28d8b51d8e07da2a6641706fcc9bb64dd6e8a0ce36fc2a6090c7
Instruction Fuzzy Hash: 46112776A12741DFDB17AF30FD8719937ADFB5D342B5A8026D0428A175EB389C62CB40

Function 002EC9B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 002EC9E8

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 287365483490678451c9642a76440850e710c2f34cd082343b7e3055cef0d939
Instruction ID: 42afaacbe96dde10f0bd36e6daff5d475e3761250d98677b3053285ffd2ebe5e
Opcode Fuzzy Hash: 287365483490678451c9642a76440850e710c2f34cd082343b7e3055cef0d939
Instruction Fuzzy Hash: 97E0E278110308CFC30ADF25FC8542ABB7CFB84B41F018019E80486235C770A891CF9A

Function 00308A10 Relevance: 1.3, APIs: 1, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,002E220B,?,?,?), ref: 00308A81

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 4d484bbd972fe258a96f6ec63dd2f89c0c643f31a5ab365f98558b4632cf586f
Instruction ID: 0927afd04b6a10ba714810e4dc42895269fbe6924993a83b6287110ee402c94d
Opcode Fuzzy Hash: 4d484bbd972fe258a96f6ec63dd2f89c0c643f31a5ab365f98558b4632cf586f
Instruction Fuzzy Hash: 74213879602614CFC32B9F68FC980B63BFCF38D325F51802AD486865B4EB7058A2C740

Non-executed Functions

Function 002F62D0 Relevance: 7.9, APIs: 5, Instructions: 424serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 002F643A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 002F64AC
GetLastError.KERNEL32 ref: 002F64C1
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 002F65D1
CloseServiceHandle.ADVAPI32(00000000), ref: 002F6829

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 264d3f13f7f36a0d881510bf2430193572a78fb49840118d5f056ee291aef09c
Instruction ID: 342310d3dc3f90393603198ac360a12386d1333ed43b86e54a2e70d54867141b
Opcode Fuzzy Hash: 264d3f13f7f36a0d881510bf2430193572a78fb49840118d5f056ee291aef09c
Instruction Fuzzy Hash: 540276B6A00705DFC717AF61FD8A2A53BBCFB84352F21451AD181972B4EB3059A5CF81

Function 002E3740 Relevance: 7.7, APIs: 5, Instructions: 236filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,00000001), ref: 002E38AD
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002E39A7
DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002E3AB9
FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002E3AD1
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002E3AF2

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 5388db0701a4b117a0bffbce2b6c4e74bfc0cdad7c587bb0ff7cf9e6e7e90513
Instruction ID: 40aefd453710f90f938bce663377c46d8532e88ea94849ff27513d94f340751f
Opcode Fuzzy Hash: 5388db0701a4b117a0bffbce2b6c4e74bfc0cdad7c587bb0ff7cf9e6e7e90513
Instruction Fuzzy Hash: 74A10275510205CFD72BDF25FC9A6BA37BCFB99302F41851AE4428B274EB7099A1CB80

Function 002ECA00 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 426pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002ECB8A
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 002ECBD0
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002ECC2C
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 002ECCA8
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 002ECE0D
CloseHandle.KERNEL32(?), ref: 002ECE48
CloseHandle.KERNEL32(?), ref: 002ECE70
CloseHandle.KERNEL32(?), ref: 002ECEA0
CloseHandle.KERNEL32(?), ref: 002ECEB8
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 002ECFA0
CloseHandle.KERNEL32(?), ref: 002ECFD3
CloseHandle.KERNEL32(?), ref: 002ECFEE
WaitForSingleObject.KERNEL32(?,00002710), ref: 002ED09F
CloseHandle.KERNEL32(?), ref: 002ED0B3
CloseHandle.KERNEL32(?), ref: 002ED0EB

Strings

S')G, xrefs: 002ECC05
D, xrefs: 002ECCEF

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: D$S')G
API String ID: 1130065513-1494146028
Opcode ID: 8f5baf6feb98778d0948db629e5fe8b48b85e93959e41d0eb60a15d8ea568f3f
Instruction ID: 5bca39a994e1456cd108aee8d841b186d5b9c2875f3ea7928bf14ea7b530079f
Opcode Fuzzy Hash: 8f5baf6feb98778d0948db629e5fe8b48b85e93959e41d0eb60a15d8ea568f3f
Instruction Fuzzy Hash: 0A0200B5A10304DFD717DFA5FC896AA3BBDFB98301F618509E442962B4EB349862CF41

Function 00303F70 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 383processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003040AF
Process32First.KERNEL32(00000000,?), ref: 00304187
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 003043B2
Module32First.KERNEL32(00000000,?), ref: 003043F6
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 0030454D
Process32Next.KERNEL32(?,00000128), ref: 00304584
CloseHandle.KERNEL32(00000000), ref: 003045FA

Strings

"L=/, xrefs: 003041BA

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID: "L=/
API String ID: 930127669-2479274474
Opcode ID: 842694b24554cfa0dcff0a64160f216bc33208e91784f25a3cb1b3c836e8b9b4
Instruction ID: ed85865110127d26be94571eaa0ae2fd9b8f204510f6e04af2e9945feb5d7d7d
Opcode Fuzzy Hash: 842694b24554cfa0dcff0a64160f216bc33208e91784f25a3cb1b3c836e8b9b4
Instruction Fuzzy Hash: D9F147B5A00700CFD717DF20FD8A6653BBCF799311F124459E5429A2B4EB309A62CF81

Function 002E6000 Relevance: 12.2, APIs: 8, Instructions: 208registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00DF05C8,Function_00001140), ref: 002E611E
SetServiceStatus.ADVAPI32(00000000,00349C20), ref: 002E617F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 002E6193
SetServiceStatus.ADVAPI32(00000000,00349C20), ref: 002E6200
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 002E626C
SetServiceStatus.ADVAPI32(00000000,00349C20), ref: 002E6322
CloseHandle.KERNEL32(00000000), ref: 002E6341
SetServiceStatus.ADVAPI32(00000000,00349C20), ref: 002E63F1

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: d1ea6f26baa5dea3c8aa9b2a34e72f78060cdc1bbc24244d984767999d79a85e
Instruction ID: 51b215f286a6dbc808bf048e1588d3ed8b5f8e18903dfbf3efb6065cac0c873f
Opcode Fuzzy Hash: d1ea6f26baa5dea3c8aa9b2a34e72f78060cdc1bbc24244d984767999d79a85e
Instruction Fuzzy Hash: FCA16479A11300CFC357CF25FD9A5663BBCF799711F04841ED4468A6B4DB74A862CB08

Function 002EB1D0 Relevance: 10.8, APIs: 7, Instructions: 282fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002EB2EE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 002EB326
CloseHandle.KERNEL32(00000000), ref: 002EB33F
GetTickCount.KERNEL32 ref: 002EB37C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 002EB558
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 002EB5AB
CloseHandle.KERNEL32(00000000), ref: 002EB5BC

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 0fcbda74ce67ce3fb94cc56f9d300a25fda7606130181e8fc235ba3313f54320
Instruction ID: 794e2bf38a086bc86659bc6d6e7e90f9dda635d6bc8e91838d90f87a52ea61b7
Opcode Fuzzy Hash: 0fcbda74ce67ce3fb94cc56f9d300a25fda7606130181e8fc235ba3313f54320
Instruction Fuzzy Hash: 03B11175911200EFD32B9F25FD86B6637BCFB95301F50401DE8019B2B5EB705962CB92

Function 002E1FE0 Relevance: 10.8, APIs: 7, Instructions: 255processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001), ref: 002E204F
Process32First.KERNEL32(00000000,00000128), ref: 002E2159
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002E224D

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 9e2886bc0415f9121c50b4b2495a3e88727b12c2fbe875efa716eea5f7495895
Instruction ID: 2c1bb62e3607d1e89fe6edad498f9f5dcdae6b2bbe0cabfe73af0cbf36f36439
Opcode Fuzzy Hash: 9e2886bc0415f9121c50b4b2495a3e88727b12c2fbe875efa716eea5f7495895
Instruction Fuzzy Hash: FFB121B6A11305CBD72BDF21FC8A6663BBCFB58301F51450ED542962B4EB709966CF80

Function 00304990 Relevance: 9.2, APIs: 6, Instructions: 177filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00304A04
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00304A4E
CloseHandle.KERNEL32(00000000), ref: 00304A6B

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 4cd32d0dce91b33c89d915b67bf74da977aa635c50e91a6f785453c8f8344334
Instruction ID: b3c1d40540055faa77bfb3ca1ff81b95269a398d369189c5259dc9ad1a1f9c21
Opcode Fuzzy Hash: 4cd32d0dce91b33c89d915b67bf74da977aa635c50e91a6f785453c8f8344334
Instruction Fuzzy Hash: 64612076A01304DFD722CF65FD8566AB7BCFB88312F11825EE8028A6B0DB709952CB45

Function 00300250 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?,00000000), ref: 0030035F
Process32First.KERNEL32(00000000,?), ref: 003003DB

Strings

i*Vd, xrefs: 0030039C

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: i*Vd
API String ID: 2353314856-4103011120
Opcode ID: a61c688d178bbf66e60af49d84beb3682cdffb8c99c41b773a14d676eca13984
Instruction ID: 0a1ded57b0f41ecff9886c10e5688c8cf668007413c3f5c2a61b842d5c561ecd
Opcode Fuzzy Hash: a61c688d178bbf66e60af49d84beb3682cdffb8c99c41b773a14d676eca13984
Instruction Fuzzy Hash: 13A135B5912304DBC31BAF25FDA52B637BCF78A312F114419D482962B4FB3099A1CF90

Function 00308650 Relevance: 7.6, APIs: 5, Instructions: 99synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,002E9ED1,00300DB0,00000001,?), ref: 0030873E
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 0030876D
CloseHandle.KERNEL32(00000000,?,002E9ED1,00300DB0,00000001,?), ref: 0030877E
WaitForSingleObject.KERNEL32(?,000000FF,?,002E9ED1,00300DB0,00000001,?), ref: 00308793
CloseHandle.KERNEL32(?,?,000000FF,?,002E9ED1,00300DB0,00000001,?), ref: 003087B7

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 794ee0101ee5fa2af94dd5c6e48046f8011e713ba1af09cfa7c50323186e026c
Instruction ID: 768551d88eb96002f6bcb6e7a1e49071b35737007fb585cc1bfe7e566e46e036
Opcode Fuzzy Hash: 794ee0101ee5fa2af94dd5c6e48046f8011e713ba1af09cfa7c50323186e026c
Instruction Fuzzy Hash: 954113B5601305EFC313AF25FD897503BBCF768752F228409E585962B8EB3594A2CF85

Function 00303790 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,002FFAC0,00000000,?), ref: 0030381D
RtlReAllocateHeap.NTDLL(00000000,?,002FFAC0,00000000), ref: 00303824
GetProcessHeap.KERNEL32(00000000,?,?,002FFAC0,00000000,?), ref: 00303842
HeapAlloc.KERNEL32(00000000,?,002FFAC0,00000000,?), ref: 00303849

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 6069f03cca975e9768960c7027f7734bc51ffca522b535868e40ee0113223071
Instruction ID: 03cbd1b881b6e376f31981f96f78a7d5a3d6fd66ad5a5e9ad95a5a2edfd9efea
Opcode Fuzzy Hash: 6069f03cca975e9768960c7027f7734bc51ffca522b535868e40ee0113223071
Instruction Fuzzy Hash: 9A11E9B1A05704CFC717AF64FDA96B63B7CFB48701F024009E4468A5B4E7319952CB52

Function 00314650 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(J,.,00000001,?,?,002E2C4A), ref: 0031473C
GetTickCount.KERNEL32 ref: 0031484A

Strings

J,., xrefs: 00314736, 00314739

Memory Dump Source

Source File: 00000002.00000002.1288799747.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000002.00000002.1288739630.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288845765.0000000000317000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000031C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.000000000034D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000350000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288866410.0000000000360000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1288977693.0000000000362000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e0000_kfdag3t9jukjqfngi9xbw.jbxd

Similarity

API ID: CountSystemTickTime
String ID: J,.
API String ID: 2164215191-1739306853
Opcode ID: cb92779675d614b2fd50f55ceb87960dcc186a84a4e209ac2d58721f129f9f5f
Instruction ID: c291e9e3716edb234b0f159d1612624d4f8e993a4c132d677dec1d183de7f7d7
Opcode Fuzzy Hash: cb92779675d614b2fd50f55ceb87960dcc186a84a4e209ac2d58721f129f9f5f
Instruction Fuzzy Hash: 3951023A611201CBC31ACF29FD821B673FDFB9A311F05852EE846CA674E7756891CB45

Analysis Process: skjlipudplp.exePID: 1768, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1701
Total number of Limit Nodes:	49

Executed Functions

Function 0102D0EB Relevance: 63.4, APIs: 29, Strings: 6, Instructions: 2186synchronizationsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 010359B0: GetProcessHeap.KERNEL32(00000000,0100A48A,?,0100A48A,00000002,00000002,?,0115B4C0,?,00000001), ref: 010359C3
Part of subcall function 010359B0: RtlFreeHeap.NTDLL(00000000,?,0100A48A,00000002,00000002,?,0115B4C0,?,00000001), ref: 010359CA

Part of subcall function 01034650: GetSystemTime.KERNEL32(01002C4A,00000001,?,?,01002C4A), ref: 0103473C

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 0102D651
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0102D721
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0102D76D
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0102D7A4
GetTickCount.KERNEL32 ref: 0102D82E
Sleep.KERNEL32(00000D05), ref: 0102DE9B
Sleep.KERNEL32(000003E8), ref: 0102E039
GetCommandLineA.KERNEL32 ref: 0102D9EB

Part of subcall function 0100C9B0: ExitProcess.KERNEL32 ref: 0100C9E8

Part of subcall function 01024990: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 01024A04

Strings

l, xrefs: 0102E388
owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe", xrefs: 0102F580, 0102F5EA
C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe, xrefs: 0102EBDA, 0102EC03, 0102F21F, 0102F24E, 0102F2AE, 0102F606
C:\Windows\system32\config\systemprofile, xrefs: 0102D642
U"Kd, xrefs: 0102F765
Qt$[, xrefs: 0102F2C5

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Create$Mutex$HeapProcessSleep$CommandCountEnvironmentExitFileFreeLineSystemTickTimeVariable
String ID: C:\Windows\system32\config\systemprofile$C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe$Qt$[$U"Kd$owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"$l
API String ID: 2753435600-3604542358
Opcode ID: 4e430f4bc7ab5b3c5813c67545c735f189624292fb482015b2a100e2cbd6a901
Instruction ID: 4bedc4a350083f5aadf4a2a8212a99d50bb8d990916a990e4bc9a600f3a82cb0
Opcode Fuzzy Hash: 4e430f4bc7ab5b3c5813c67545c735f189624292fb482015b2a100e2cbd6a901
Instruction Fuzzy Hash: DE13F3B9A00211DFD734EF65FA896A53BB5F794310B11811AE5C2A729CEB3F9860CF41

Function 01016C30 Relevance: 27.4, APIs: 10, Strings: 5, Instructions: 1156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~~w, xrefs: 01016DA1
y.n, xrefs: 01017C9C
zxf, xrefs: 01017D12, 01017D1D
/, xrefs: 01016F31
]:8, xrefs: 010170AD

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID:
String ID: /$]:8$y.n$zxf$~~w
API String ID: 0-584866615
Opcode ID: 597fb76525da9902543423a5d0df62310ba536192c93dddae6822fda7ac357d2
Instruction ID: d172ef9809856b48c2394cc59cb5c8bfe2c35b3de799f7fb1004cc5e890c49e3
Opcode Fuzzy Hash: 597fb76525da9902543423a5d0df62310ba536192c93dddae6822fda7ac357d2
Instruction Fuzzy Hash: A8A225B5A00206CFE734EF64FA856A93BB5FB94300F018059E5C6A719CEB3F49A5CB51

Function 01007FA0 Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 990
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(01080FB0), ref: 0100808B
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 010081E4
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 01008408
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 01008433
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 010084CC
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010085D1
CreateDirectoryA.KERNEL32(?,00000000), ref: 0100896A
CreateDirectoryA.KERNEL32(?,00000000), ref: 01008A1A

Part of subcall function 01020CF0: wvsprintfA.USER32(0000000B,?,01017604), ref: 01020D77

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 01008C2E

Part of subcall function 01022260: lstrlen.KERNEL32(00000001,?,0100385D,?,00000104,?,00000001), ref: 01022283

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 01008DEE
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 01008F47
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 010090F7

Strings

C:\vdjmzgowdzhfmld\, xrefs: 0100850F, 0100899C, 01008D95, 01008F5E
\, xrefs: 01008CD5
C:\Windows\system32\config\systemprofile, xrefs: 010087D1, 0100886D

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionlstrlenwvsprintf
String ID: C:\Windows\system32\config\systemprofile$C:\vdjmzgowdzhfmld\$\
API String ID: 2935959199-2206088217
Opcode ID: b74597e7c00b2c9c4f454922afb090f7c30e8733a120477eb95cd68e9288c886
Instruction ID: 6de0ab51449f5f8b816c3f67e8aabc4802f2af6270d8a561b4931006ed096f07
Opcode Fuzzy Hash: b74597e7c00b2c9c4f454922afb090f7c30e8733a120477eb95cd68e9288c886
Instruction Fuzzy Hash: E89212B5E00206DFE730AF24FA896A53BB4FB94300F018156E5C2A619DEB3F45A5CF95

Function 010336D0 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 814
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,01010E0A,?), ref: 01033945
LoadLibraryA.KERNELBASE(00000000,?,00000001,?,?,?,?,?,00000000), ref: 01033A07
GetProcAddress.KERNEL32(00000000,00000000), ref: 01033AF2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 01033B50
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,00000001), ref: 01033BF7
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 01033C42
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 01033C72
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 01033D56
HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,00000001), ref: 01033D94
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 01033E0E
GetAdaptersInfo.IPHLPAPI(00000000,00000288,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 01033EA4
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000001), ref: 010344A5
FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,00000001,?,?,?,?,?,00000000), ref: 010344CF

Strings

V\v(, xrefs: 01034086

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Free$HeapLibrary$AdaptersAllocInfo$AddressLoadProcProcess
String ID: V\v(
API String ID: 2633798829-3864276540
Opcode ID: b9eb4f1c996a8551694d45364ef645d212b202d33360925e981e7b322b4ac742
Instruction ID: 583fbffe3598f9a31694d11c881e5e1bcff9ed11518d22822e05df83e705c86b
Opcode Fuzzy Hash: b9eb4f1c996a8551694d45364ef645d212b202d33360925e981e7b322b4ac742
Instruction Fuzzy Hash: F772EEB9A00205CFD7349F65FAD55653BB9FB98310B11855AE4C2AB29CE73F8861CF40

Function 01002AE0 Relevance: 8.2, APIs: 1, Strings: 4, Instructions: 690
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000008AE), ref: 010035BC

Strings

m%X, xrefs: 01002C8E
owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe", xrefs: 01003675
C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe, xrefs: 0100367A
m%X, xrefs: 01002C87

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Sleep
String ID: m%X$m%X$C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe$owwisyfkhljp "c:\vdjmzgowdzhfmld\skjlipudplp.exe"
API String ID: 3472027048-2138712788
Opcode ID: e8db88790c551813d945cadd000d6960cc6f23fddd737f2f64e30f79c00f495f
Instruction ID: a4e92a33a3bf6accbd294d75baac527d60605d5cb11e6c00e71f07d20ae2f0d6
Opcode Fuzzy Hash: e8db88790c551813d945cadd000d6960cc6f23fddd737f2f64e30f79c00f495f
Instruction Fuzzy Hash: 6D520FB9E00201DFE735EF64FA855A93BB4FB54310B11815AD4C2A629CEB3F59A0CF91

Function 01003740 Relevance: 7.7, APIs: 5, Instructions: 236
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,?,00000001), ref: 010038AD
FindFirstFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 010039A7
DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01003AB9
FindNextFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01003AD1
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01003AF2

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: f07ebdb7374176a659c6ef60cdbbf5d1a491a13e9fa80fe635a4af4a3d7de78e
Instruction ID: 2a462c39a32fbf7682e24b5dda6b0fb58b7e4db864c48710c6d606515b3ff842
Opcode Fuzzy Hash: f07ebdb7374176a659c6ef60cdbbf5d1a491a13e9fa80fe635a4af4a3d7de78e
Instruction Fuzzy Hash: 5CA1F3B9A00215CFE375DF24F9955B93BB4FB94300B014155E4C2DA29CEB7F9590CB80

Function 01010950 Relevance: 2.2, APIs: 1, Instructions: 742COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 01010B3D

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 1a59c1a3c4fd2f9269f90ce0c2a4b1dbe210d78e4709e00786664d1f6c45d9af
Instruction ID: 7123eb2dd642462dc5b815cbd503d097f0bf039c74b731a06678e8bc2932df54
Opcode Fuzzy Hash: 1a59c1a3c4fd2f9269f90ce0c2a4b1dbe210d78e4709e00786664d1f6c45d9af
Instruction Fuzzy Hash: AF6203B5A00206CBD734EF64FAD4AEA37B4FBA4300F50415AE5C2A719CEB3E5994CB51

Function 01006430 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0100645B

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: b53dc9007947b68ddea10d2a6c70fd745239d4de88f58170e603f40f1a5948fc
Instruction ID: 9e6068644e08f3e92bc874965320601f23832c7edd3290e94c26dbfcc8f89799
Opcode Fuzzy Hash: b53dc9007947b68ddea10d2a6c70fd745239d4de88f58170e603f40f1a5948fc
Instruction Fuzzy Hash: A3E04FB5C152089FD720DFA4E9842AEBBB4F704300F004A5AE99597204E63646148F80

Function 01006000 Relevance: 12.2, APIs: 8, Instructions: 208
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(0115E668,Function_00001140), ref: 0100611E
SetServiceStatus.SECHOST(0116AE70,01069C20), ref: 0100617F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01006193
SetServiceStatus.ADVAPI32(0116AE70,01069C20), ref: 01006200
WaitForSingleObject.KERNEL32(0000022C,00001388), ref: 0100626C
SetServiceStatus.ADVAPI32(0116AE70,01069C20), ref: 01006322
CloseHandle.KERNEL32(0000022C), ref: 01006341
SetServiceStatus.ADVAPI32(0116AE70,01069C20), ref: 010063F1

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 5c4db4a5a6b8a200d19e400772914418adfbd360b451215274618096712cabd6
Instruction ID: 6e307f253dc94f08f250de59ae5ffc334861aadda9b2a437a1869742f677abd2
Opcode Fuzzy Hash: 5c4db4a5a6b8a200d19e400772914418adfbd360b451215274618096712cabd6
Instruction Fuzzy Hash: 20A176B9A01205CFD374CF25F6D94257BB9F798724715841AE0C2A7AACEB3F94A0CB04

Function 01020250 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?,00000000), ref: 0102035F
Process32First.KERNEL32(00000000,?), ref: 010203DB

Strings

i*Vd, xrefs: 0102039C

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: i*Vd
API String ID: 2353314856-4103011120
Opcode ID: 144eed39a1ee8487918908a9c78e99fef05d57b671d8608d36e21b6acb7c4997
Instruction ID: deb9926a712616fe5ad4a85f17ee15d5faf7f08b84e56238f5ad5f151067c0f7
Opcode Fuzzy Hash: 144eed39a1ee8487918908a9c78e99fef05d57b671d8608d36e21b6acb7c4997
Instruction Fuzzy Hash: D5A112B5E01315CBE334AF64F6986BA3BB4F784311B118459E4C6A629CF73F48A0CB91

Function 01015EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,01003684,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 0101602B
CloseHandle.KERNEL32(01003684), ref: 01016043
CloseHandle.KERNEL32(?), ref: 01016072

Strings

D, xrefs: 01015FB1

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 71a65034a7a8d573cf23de38efc09849036dc3fe31f27007ce551c9dff2f5fb5
Instruction ID: fcefa19f45782d17c04076f853b13994420ef65793b97a4220f7da799fe55b5c
Opcode Fuzzy Hash: 71a65034a7a8d573cf23de38efc09849036dc3fe31f27007ce551c9dff2f5fb5
Instruction Fuzzy Hash: 615104B96002068BD728DF64FAA2BBA73B8F744700F00801DE9C6CB6ACE77E9455C741

Function 01002510 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 326
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76850000,00000000), ref: 0100272B
GetProcAddress.KERNEL32(76850000,00000000), ref: 010027B0

Strings

%Uj*, xrefs: 0100271B

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: AddressProc
String ID: %Uj*
API String ID: 190572456-2557879984
Opcode ID: a84918558b75ebe36ed1ea3846637d45ccd7570dca2d5332e3702980e25e5cf7
Instruction ID: c1567a0cee20b8367c310184f6dbd47afcef40905d98cfff156c6d68dee2a39d
Opcode Fuzzy Hash: a84918558b75ebe36ed1ea3846637d45ccd7570dca2d5332e3702980e25e5cf7
Instruction Fuzzy Hash: DED10EB5E00605CFE335EF65FA886653BB5FB98350B518516E0C2A629CEB3F8861CF44

Function 010256A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,01018C4F,02053FC0,?,?,?,?,010255F4), ref: 010256EE
RtlAllocateHeap.NTDLL(00000000,?,01018C4F,02053FC0,?,?,?,?,010255F4), ref: 010256F5

Strings

|Q.H, xrefs: 010256C8

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: |Q.H
API String ID: 1357844191-517162033
Opcode ID: 9b898cc283a7b23a3018c1489df5082d28e112076423c1fee4348c908bebf6e4
Instruction ID: 64cca39fef1536bccfec60f6279284747aa86e88051ddd65a6c921fab1c196ea
Opcode Fuzzy Hash: 9b898cc283a7b23a3018c1489df5082d28e112076423c1fee4348c908bebf6e4
Instruction Fuzzy Hash: FDE0E5B400435BDFD7304F58F98C9AA7F68F3097217004040F5C6CB208CA3F80908B25

Function 010070D0 Relevance: 4.8, APIs: 3, Instructions: 285
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01028570: WaitForSingleObject.KERNEL32(00000708,00004E20,?,0100264E,00000128,00000000,00000000,00000001,?,01022C3C,00000000,?,01002E06,?,00000708,00000000), ref: 010285D7

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 010071F7
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 0100740F

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CreateObjectSingleWaitWrite
String ID:
API String ID: 3285871581-0
Opcode ID: c147c77ac172b7ec467522fe5d14b611dcb874dc1e976b1b610871d77e0872ee
Instruction ID: 8140b07d882c1591ae93c1217147fd4e8b0fc001e496178950084660f7966325
Opcode Fuzzy Hash: c147c77ac172b7ec467522fe5d14b611dcb874dc1e976b1b610871d77e0872ee
Instruction Fuzzy Hash: 02C1F1BAE01201DFE734DF65FA8566637B4F788311B118056E5C6A729CE73F98A0CB81

Function 01007307 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 0100740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01007525

Part of subcall function 01022290: ReleaseMutex.KERNEL32(01002A8B,?,01002A8B,00000128,00000000), ref: 010222E7

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 74ff73ac17f179951c0f225215b1bc91c6f151b1f54a385ec22543ec979c5ede
Instruction ID: 950d70cdfb996307a46d4ca728a14323fe9de522fa18c897275bf675fc3122fd
Opcode Fuzzy Hash: 74ff73ac17f179951c0f225215b1bc91c6f151b1f54a385ec22543ec979c5ede
Instruction Fuzzy Hash: B051E0BAE00101CFE734DF58EA845A93BB5F794301B118456D5C2A729CEB3FA960CF81

Function 01007309 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 0100740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01007525

Part of subcall function 01022290: ReleaseMutex.KERNEL32(01002A8B,?,01002A8B,00000128,00000000), ref: 010222E7

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 7095607bdd28aeec8a9f342aca498d0d96d1fa11cd36325e8728380aaa002ad4
Instruction ID: 0ca9068236d08e55b4e6f0611f394b2fd1c4adb373f897e4e74cecd55a2f29a5
Opcode Fuzzy Hash: 7095607bdd28aeec8a9f342aca498d0d96d1fa11cd36325e8728380aaa002ad4
Instruction Fuzzy Hash: 9551DFBAE01101CFE734DF54EA846A93BB5F794301B158456D5C2A729CEB3FA960CF81

Function 01021510 Relevance: 3.1, APIs: 2, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(010080AE,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,010080AE), ref: 01021592
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0102163E

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: aa11307bd8590409cdcc95a2e2a4f8b630acb8278610a4aab299388780e9a110
Instruction ID: c305d2dc710fce832156ef34a693ab66b7d5ad9dc83f9ee7c26428406653faeb
Opcode Fuzzy Hash: aa11307bd8590409cdcc95a2e2a4f8b630acb8278610a4aab299388780e9a110
Instruction Fuzzy Hash: A841AAB6E01249EFCB358FA4EA989A87FB4FB14300B558489D4C2A725DDB7B0564CF50

Function 010359B0 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0100A48A,?,0100A48A,00000002,00000002,?,0115B4C0,?,00000001), ref: 010359C3
RtlFreeHeap.NTDLL(00000000,?,0100A48A,00000002,00000002,?,0115B4C0,?,00000001), ref: 010359CA

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8d635752ed22f0e411fb950531164aadc0dcc20737cc44c1ebe9e613f47f9507
Instruction ID: 368485dc921ab07017cb752a2fc68f80049d67ce8571d6c576580604a83bbb4d
Opcode Fuzzy Hash: 8d635752ed22f0e411fb950531164aadc0dcc20737cc44c1ebe9e613f47f9507
Instruction Fuzzy Hash: C4D012B4444344DFC7309FA9EC4AB163BACEF1971AF058050F58AD9158C73BA851CF64

Function 01015770 Relevance: 1.7, APIs: 1, Instructions: 168fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 01015933

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4bb3d7fec7aef94c490bb31496bf7701093fc9c0f743d0b10a4b6cdf0e84d02b
Instruction ID: 41441875acd5347e902a488cc65a56046f8a18cd2cf03803e5c84684c32b1048
Opcode Fuzzy Hash: 4bb3d7fec7aef94c490bb31496bf7701093fc9c0f743d0b10a4b6cdf0e84d02b
Instruction Fuzzy Hash: E57144B6E01709DBE774AF20F9896A53BB0F799310F518445D5C2A619CEB3F88A0CF85

Function 01026F70 Relevance: 1.7, APIs: 1, Instructions: 162fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00000708,00000000), ref: 010270F3

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a2c9e83aea536d434be4f02596db2a581f49482c17947010a57379ef85eb2f07
Instruction ID: b3b751e5fc9b6875b02b948b1386325a18b870d1f65b331b5c2f5c0bdffcfefd
Opcode Fuzzy Hash: a2c9e83aea536d434be4f02596db2a581f49482c17947010a57379ef85eb2f07
Instruction Fuzzy Hash: BD5123B9A00212DFE7349F24FA957B637B5FB59311F004019E9C69629CE73F8451CB51

Function 01025535 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 01026BE0: GetStdHandle.KERNEL32(000000F6,?,?,01025560), ref: 01026C12
Part of subcall function 01026BE0: GetStdHandle.KERNEL32(000000F5,?,?,01025560), ref: 01026C6A
Part of subcall function 01026BE0: GetStdHandle.KERNEL32(000000F4,?,?,01025560), ref: 01026D53

ExitProcess.KERNEL32 ref: 0102561B

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: fa130dd8523c06eec62810035365a96c1ce9a108c6e34cd1c33df9718e8c350c
Instruction ID: 829fd3b164e46a8bbf7fd4a0f4916df3e79b404af766f5f8c4e993331954f09f
Opcode Fuzzy Hash: fa130dd8523c06eec62810035365a96c1ce9a108c6e34cd1c33df9718e8c350c
Instruction Fuzzy Hash: 811136B7E00602CFEB30AF34FA8509937AAF7A83513168005D4C2EB25CEA3F8951CB54

Function 01022BA0 Relevance: 1.4, APIs: 1, Instructions: 194sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8,00000000,?,01002E06,?,00000708,00000000), ref: 01022D5A

Part of subcall function 01026F70: CreateFileA.KERNELBASE(00000708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00000708,00000000), ref: 010270F3

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CreateFileSleep
String ID:
API String ID: 2694422964-0
Opcode ID: d0911eed168f6015d16455782fa1dd90735705f2e3ce883138ea76955c4b0c2c
Instruction ID: 428b7ae29751b264448fd0401df430e85f5a5860b5321e8edd0316b11b6658a1
Opcode Fuzzy Hash: d0911eed168f6015d16455782fa1dd90735705f2e3ce883138ea76955c4b0c2c
Instruction Fuzzy Hash: 8F8110B5A00315CFD330EFA8FA9966537B4F798710B418116E4C1A729CEB3F58A1CB45

Function 01028A10 Relevance: 1.3, APIs: 1, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,0102045C,?,?,?), ref: 01028A81

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 911931578073fc8da02665f8aae67cac1b27056a7029ad23ab01a2ab288a422e
Instruction ID: cddd6dbfcfcee1f92b6ee6eb92acfa4306565c04719cc2b32e0f228edeba1e7a
Opcode Fuzzy Hash: 911931578073fc8da02665f8aae67cac1b27056a7029ad23ab01a2ab288a422e
Instruction Fuzzy Hash: FA21E5BDA01514DFE3749F68F6980657BE8F38D321350811AE5C6D25ACEB3F48A1C740

Non-executed Functions

Function 010053B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 0100546E
CreateServiceA.ADVAPI32(00000000,0115E668,0115E668,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 010054BD
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 01005503
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 01005533
CloseServiceHandle.ADVAPI32(00000000), ref: 01005593
OpenServiceA.ADVAPI32(00000000,0115E668,00000010), ref: 010055DE
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0100566C
CloseServiceHandle.ADVAPI32(00000000), ref: 0100567D
CloseServiceHandle.ADVAPI32(00000000), ref: 010056CC

Strings

|Sxz, xrefs: 01005442

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID: |Sxz
API String ID: 3525021261-962673421
Opcode ID: 25ec0b31a23f7714e5cf5756c078a8500d23185ff1d0c0e689ac3156b0110364
Instruction ID: fe3e74a9145a8032480184dd7d34511dc7f7a29916d6042c434e2fc238d5ad12
Opcode Fuzzy Hash: 25ec0b31a23f7714e5cf5756c078a8500d23185ff1d0c0e689ac3156b0110364
Instruction Fuzzy Hash: 7F81CDB9A01201DFE335DF64FA896A97BB5F798311F104116E8C1A728CE73F9891CB85

Function 010162D0 Relevance: 7.9, APIs: 5, Instructions: 424serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,-00000001,00000000,00000001), ref: 0101643A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,0000000A,?,00000000), ref: 010164AC
GetLastError.KERNEL32 ref: 010164C1
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,-0000001A,0000000A,?,00000000), ref: 010165D1
CloseServiceHandle.ADVAPI32(00000000), ref: 01016829

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: a0a03f18608930751fb87cd18210f59e190fdf9ce857783c4266c91c4d0f8476
Instruction ID: 126460151ff0eb5d8cc43c2fb2d4f8ba6c8ab25f5ffe3eb41f0eac667057dbde
Opcode Fuzzy Hash: a0a03f18608930751fb87cd18210f59e190fdf9ce857783c4266c91c4d0f8476
Instruction Fuzzy Hash: A00237F6E00202DFD734AF64FA896A53BB4F794310B118506D5C2A729CEB7F49A4CB81

Function 0100CA00 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 426pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00000001,?,0000000C,00000000,00000000,00000000,?), ref: 0100CB8A
SetHandleInformation.KERNEL32(00000001,00000001,00000000), ref: 0100CBD0
CreatePipe.KERNEL32(?,00000000,0000000C,00000000), ref: 0100CC2C
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0100CCA8
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000001,00000044,?), ref: 0100CE0D
CloseHandle.KERNEL32(00000000), ref: 0100CE48
CloseHandle.KERNEL32(?), ref: 0100CE70
CloseHandle.KERNEL32(00000001), ref: 0100CEA0
CloseHandle.KERNEL32(?), ref: 0100CEB8
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0100CFA0
CloseHandle.KERNEL32(00000000), ref: 0100CFD3
CloseHandle.KERNEL32(?), ref: 0100CFEE
WaitForSingleObject.KERNEL32(?,00002710), ref: 0100D09F
CloseHandle.KERNEL32(?), ref: 0100D0B3
CloseHandle.KERNEL32(?), ref: 0100D0EB

Strings

S')G, xrefs: 0100CC05
D, xrefs: 0100CCEF

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: D$S')G
API String ID: 1130065513-1494146028
Opcode ID: 537420bb70182fe4959cf912037dfafe8bf032365f249198b0db5f112437515f
Instruction ID: 381c8e2e72207a8572ef0ea391fe6c7d7ec57ce95c482494e0167c275c67fa2a
Opcode Fuzzy Hash: 537420bb70182fe4959cf912037dfafe8bf032365f249198b0db5f112437515f
Instruction Fuzzy Hash: 8C02C3B9A00205DFE734DF64FA886AA3BB5FB88300B114559E5C2A729CE73F9854CF54

Function 01023F70 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 383processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 010240AF
Process32First.KERNEL32(00000000,?), ref: 01024187
CreateToolhelp32Snapshot.KERNEL32(00000008,?,00000001), ref: 010243B2
Module32First.KERNEL32(00000000,?), ref: 010243F6
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 0102454D
Process32Next.KERNEL32(?,00000128), ref: 01024584
CloseHandle.KERNEL32(00000000), ref: 010245FA

Strings

"L=/, xrefs: 010241BA

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID: "L=/
API String ID: 930127669-2479274474
Opcode ID: a74108e081eb4c20e26bfb4c9dee7830e710531e4a713811a07e50859f88d167
Instruction ID: 8c893015d1482cafd0eb97dda76d112e9026a6d2f776ba248c49858f97ec64b5
Opcode Fuzzy Hash: a74108e081eb4c20e26bfb4c9dee7830e710531e4a713811a07e50859f88d167
Instruction Fuzzy Hash: 87F113B9E00211CFE734EF64FA896A93BB4F794310B014159E5C6A629CEB3F4960CF91

Function 0100B1D0 Relevance: 10.8, APIs: 7, Instructions: 282fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0100B2EE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0100B326
CloseHandle.KERNEL32(00000000), ref: 0100B33F
GetTickCount.KERNEL32 ref: 0100B37C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0100B558
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0100B5AB
CloseHandle.KERNEL32(00000000), ref: 0100B5BC

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 93993b30920787d4f259345275c2e59b8261dc27aec5ed79074fd0e95d00709f
Instruction ID: 12aa2ef44eef6fb4a08248c9bc2b7e4332583a7a81599985d940df92bcc180e2
Opcode Fuzzy Hash: 93993b30920787d4f259345275c2e59b8261dc27aec5ed79074fd0e95d00709f
Instruction Fuzzy Hash: 9EB1D2B9A00201DFE335AF68FA8576637B8FB95310F104019E8C1AB29CE73F9951CB95

Function 01001FE0 Relevance: 10.8, APIs: 7, Instructions: 255processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001), ref: 0100204F
Process32First.KERNEL32(00000000,00000128), ref: 01002159
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100224D

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 2fa582c6bd0524cce2a2e94510247a583d464cd0de7abbe266b35b4a3476242c
Instruction ID: d1415cd2a1b53a712d3adebf35604307a4dc6ad0fd183b9515e8667f33eb3e00
Opcode Fuzzy Hash: 2fa582c6bd0524cce2a2e94510247a583d464cd0de7abbe266b35b4a3476242c
Instruction Fuzzy Hash: 6AB1F2FAA00216DBE335EF24FAC95653BB9F754310B11454AE5C2A629CE73F8964CF80

Function 01024990 Relevance: 9.2, APIs: 6, Instructions: 177filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 01024A04
GetFileTime.KERNEL32(00000000,?,?,?), ref: 01024A4E
CloseHandle.KERNEL32(00000000), ref: 01024A6B

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f409f2ce4d7e8ba2bd03cadb6ece87371546fa97a67fb955096d6f3c95da3641
Instruction ID: 8a35373ffb0edef7c6f9470b7f4ee963f960bc37867efbea4515f735c86ff527
Opcode Fuzzy Hash: f409f2ce4d7e8ba2bd03cadb6ece87371546fa97a67fb955096d6f3c95da3641
Instruction Fuzzy Hash: 5461D2B5A00204DFD734DF65FAC566AB7B8FB88724B10825AE8C2D625CD73F8851CB44

Function 01028650 Relevance: 7.6, APIs: 5, Instructions: 99synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,01009ED1,01020DB0,00000001,?), ref: 0102873E
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 0102876D
CloseHandle.KERNEL32(00000000,?,01009ED1,01020DB0,00000001,?), ref: 0102877E
WaitForSingleObject.KERNEL32(?,000000FF,?,01009ED1,01020DB0,00000001,?), ref: 01028793
CloseHandle.KERNEL32(?,?,000000FF,?,01009ED1,01020DB0,00000001,?), ref: 010287B7

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 1a8463e03f31164061eb85fb3757a18dbbc2e19de1c7731e300aed14fda8d1b5
Instruction ID: 4d4b1bdf918aec728ce0d5769c83a8b1fae0fd0260840a5df9f21334e36b7d24
Opcode Fuzzy Hash: 1a8463e03f31164061eb85fb3757a18dbbc2e19de1c7731e300aed14fda8d1b5
Instruction Fuzzy Hash: 1641C0B9A01305EBD330AF25FA887513BB0F788390F218486E5C5A629DD73F94A4CF85

Function 010226B0 Relevance: 6.3, APIs: 4, Instructions: 281fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01022807
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 010228C5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 010229CC

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 2ea798df77b114bb0219b1d412277da5cf89313e36c40e5ac76d641964aa13b3
Instruction ID: d59d7a16b5af09d0d21697e1a85bb0e6381ac11281c11ec389e2fc509fc72069
Opcode Fuzzy Hash: 2ea798df77b114bb0219b1d412277da5cf89313e36c40e5ac76d641964aa13b3
Instruction Fuzzy Hash: 5EB100B9A00215DFD734EF64FAC56A537B5F798300B104059E4C2AA29CEB7F98A5CF84

Function 01023790 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,0101FAC0,00000000,?), ref: 0102381D
RtlReAllocateHeap.NTDLL(00000000,?,0101FAC0,00000000), ref: 01023824
GetProcessHeap.KERNEL32(00000000,?,?,0101FAC0,00000000,?), ref: 01023842
HeapAlloc.KERNEL32(00000000,?,0101FAC0,00000000,?), ref: 01023849

Memory Dump Source

Source File: 00000004.00000002.2043295779.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 00000004.00000002.2043278808.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043325496.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.000000000106D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043342892.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2043415594.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 021dbe896a796818be23b07bff1e988ca3f6a0b69da96086da7f3fe59192d98d
Instruction ID: a92247cb544a20fc763897a71bfc9390dfafc06eabe2ea1303d3b572c84168f9
Opcode Fuzzy Hash: 021dbe896a796818be23b07bff1e988ca3f6a0b69da96086da7f3fe59192d98d
Instruction Fuzzy Hash: 5B11A0F9A04305DBD7349FA4FAA86663BB8FB88340B014045E5C69A95CE77FD450CB51

Analysis Process: xmjofjnkdlv.exePID: 2940, Parent PID: 1768COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1556
Total number of Limit Nodes:	24

Executed Functions

Function 006DD0EB Relevance: 59.9, APIs: 28, Strings: 5, Instructions: 2186synchronizationsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006E59B0: GetProcessHeap.KERNEL32(00000000,00000000,?,006CFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E59C3
Part of subcall function 006E59B0: RtlFreeHeap.NTDLL(00000000,?,006CFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E59CA

Part of subcall function 006E4650: GetSystemTime.KERNEL32(J,k,00000001,?,?,006B2C4A), ref: 006E473C

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 006DD651
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 006DD721
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 006DD76D
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 006DD7A4
GetTickCount.KERNEL32 ref: 006DD82E
Sleep.KERNEL32(00000D05), ref: 006DDE9B
Sleep.KERNELBASE(000003E8), ref: 006DE039
GetCommandLineA.KERNEL32 ref: 006DD9EB

Part of subcall function 006BC9B0: ExitProcess.KERNEL32 ref: 006BC9E8

Part of subcall function 006D4990: CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 006D4A04

Strings

C:\Windows\system32\config\systemprofile, xrefs: 006DD642
Qt$[, xrefs: 006DF2C5
1:VB, xrefs: 006DE62E, 006DE644
U"Kd, xrefs: 006DF765
l, xrefs: 006DE388

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Create$Mutex$HeapProcessSleep$CommandCountEnvironmentExitFileFreeLineSystemTickTimeVariable
String ID: 1:VB$C:\Windows\system32\config\systemprofile$Qt$[$U"Kd$l
API String ID: 2753435600-2747444924
Opcode ID: f0765cd41c6a82795b0ea380a88ee2385f6517f988250f4489fc0451e2ae006f
Instruction ID: cb99c36ed96a33c303734d50e7c7a28ff9dbe480c2accccffa8d0694986bbb93
Opcode Fuzzy Hash: f0765cd41c6a82795b0ea380a88ee2385f6517f988250f4489fc0451e2ae006f
Instruction Fuzzy Hash: 131322B1A00201DFD314EF25FD896B53BB3FB94300B11E11AD4429B2B5EB7959A2CF99

Function 006B7FA0 Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 990
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00730FB0), ref: 006B808B
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 006B81E4
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 006B8408
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 006B8433
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006B84CC
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006B85D1
CreateDirectoryA.KERNEL32(?,00000000), ref: 006B896A
CreateDirectoryA.KERNEL32(?,00000000), ref: 006B8A1A

Part of subcall function 006D0CF0: wvsprintfA.USER32(00001237,00C9E270,00CA1CC8), ref: 006D0D77

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 006B8C2E

Part of subcall function 006D2260: lstrlen.KERNEL32(?,?,006B7614,?,?,C:\vdjmzgowdzhfmld\,?,?,006B17C4,?), ref: 006D2283

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 006B8DEE
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 006B8F47
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 006B90F7

Strings

C:\vdjmzgowdzhfmld\, xrefs: 006B850F, 006B899C, 006B8D95, 006B8F5E
\, xrefs: 006B8CD5
C:\Windows\system32\config\systemprofile, xrefs: 006B87D1, 006B886D

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionlstrlenwvsprintf
String ID: C:\Windows\system32\config\systemprofile$C:\vdjmzgowdzhfmld\$\
API String ID: 2935959199-2206088217
Opcode ID: 313c02508422d0b8c19271044c53c5246672d43742c9e76b045f159f55aa491c
Instruction ID: 338ef11864a073b9c2d6b08402fdaae38aeca7fa579a7bfd97990d7d0e073383
Opcode Fuzzy Hash: 313c02508422d0b8c19271044c53c5246672d43742c9e76b045f159f55aa491c
Instruction Fuzzy Hash: B89265B1A00205DFD720AF24FD896F53BB6FB90300B11D159E541972BAEB3849A6CF9D

Function 006B1FE0 Relevance: 10.8, APIs: 7, Instructions: 255
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001), ref: 006B204F
Process32First.KERNEL32(00000000,00000128), ref: 006B2159
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006B224D

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 1bb7ca85bcdd7563be669c97473f66f4d4da12ee4b2e3885c1646bddf62c9b48
Instruction ID: 86db94e5413855a5910a712f855316dc43e50f9d156655ae3d15e2dfdfe169d8
Opcode Fuzzy Hash: 1bb7ca85bcdd7563be669c97473f66f4d4da12ee4b2e3885c1646bddf62c9b48
Instruction Fuzzy Hash: 66B125B2A00216DFD724DF24FC995B53BF7F744300B11E11AD542962B9EB3999A1CF88

Function 006D4990 Relevance: 9.2, APIs: 6, Instructions: 177
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 006D4A04
GetFileTime.KERNEL32(00000000,?,?,?), ref: 006D4A4E
CloseHandle.KERNEL32(00000000), ref: 006D4A6B

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 9d135d5903d1947f5425c2d14d7321bb907cf0c8a795627290425ea6f74946c9
Instruction ID: 1eacf4b9f944c3b34ab54bf032c8a2eb49cf23bc2fd8f78b56ed979f2a91e221
Opcode Fuzzy Hash: 9d135d5903d1947f5425c2d14d7321bb907cf0c8a795627290425ea6f74946c9
Instruction Fuzzy Hash: 7661F272A01304DFD724CF69FD856B9B7F6FB98310B11D15AE802C62B0DB389851CB49

Function 006D0250 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?,00000000), ref: 006D035F
Process32First.KERNEL32(00000000,?), ref: 006D03DB

Strings

i*Vd, xrefs: 006D039C

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID: i*Vd
API String ID: 2353314856-4103011120
Opcode ID: f659e1852488f03bd4937531ccb8d4ab3224f660a4ca575ed3048f060c7f611c
Instruction ID: ecf0e52649f157c0b54d1fad00a47bacf6963ba8915b94dd56cf1ed6309bf1ac
Opcode Fuzzy Hash: f659e1852488f03bd4937531ccb8d4ab3224f660a4ca575ed3048f060c7f611c
Instruction Fuzzy Hash: 08A153B1901204DBE324EF64FD996B537B2F784310F11D41AD4829A2B5FB3889A2CF9D

Function 006C5EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00001237,00C9E270,00000000,00000000,00000000,00000008,00000000,00000000,00000044,00CA1CC8), ref: 006C602B
CloseHandle.KERNEL32(00C9E270), ref: 006C6043
CloseHandle.KERNEL32(00CA1CC8), ref: 006C6072

Strings

D, xrefs: 006C5FB1

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: c158a12dda467d78ce06e029f62ad1f549fa9ed4f09edc170a8381d2a926542d
Instruction ID: fc44cebc22ca383b277a07b2c1df8c81ed58507bb7358c8975f27a9f8c485168
Opcode Fuzzy Hash: c158a12dda467d78ce06e029f62ad1f549fa9ed4f09edc170a8381d2a926542d
Instruction Fuzzy Hash: D351EFB26003049BD708DF68ED92BBA73B6F754700F10D42DE906CB6B4EBB89945CB59

Function 006D56A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,006C8C4F,02053FC0,?,?,?,?,006D55F4), ref: 006D56EE
RtlAllocateHeap.NTDLL(00000000,?,006C8C4F,02053FC0,?,?,?,?,006D55F4), ref: 006D56F5

Strings

|Q.H, xrefs: 006D56C8

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: |Q.H
API String ID: 1357844191-517162033
Opcode ID: bd42a516e0e3d7ef4fed18f07276a15b18e526e7dcf9fb6db7fb283f9359981f
Instruction ID: f65b7a9ca78586df3090b9077d1507aeaf698676dab1dc3d252a7ed7bfa18fda
Opcode Fuzzy Hash: bd42a516e0e3d7ef4fed18f07276a15b18e526e7dcf9fb6db7fb283f9359981f
Instruction Fuzzy Hash: C2E0ED7100978ADFEB444F98FC886AA3B66F308B117008404F506CAA30CA399480CB29

Function 006B70D0 Relevance: 4.8, APIs: 3, Instructions: 285
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D8570: WaitForSingleObject.KERNEL32(?,00004E20,?,006B264E,00000128,00000000,00000001,?,?,006D1B87,006B17D5,?), ref: 006D85D7

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 006B71F7
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 006B740F

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: File$CreateObjectSingleWaitWrite
String ID:
API String ID: 3285871581-0
Opcode ID: e5ccf0d0d01ce130eee852aa5839fa622861b58c7663402675a50969cccba653
Instruction ID: f6c7f19e9cf67af5fa4cbbb1d70d12919df7be24ecf5900611a1f09beb4d753b
Opcode Fuzzy Hash: e5ccf0d0d01ce130eee852aa5839fa622861b58c7663402675a50969cccba653
Instruction Fuzzy Hash: A3C143B2A05200DFD724DF28FD856B537B6F794311B21E059E846873B4EB3899A1CF89

Function 006B7309 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 006B740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006B7525

Part of subcall function 006D2290: ReleaseMutex.KERNEL32(006B2A8B,?,006B2A8B,00000128), ref: 006D22E7

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 9929e314df01f85a38513c19eb1db2814f521bf5753d6463c2ae7ebbe117b5e2
Instruction ID: 42a53b0ea2b46a9d88275787bcf39554476657a0baa586fc6175400f6cec816c
Opcode Fuzzy Hash: 9929e314df01f85a38513c19eb1db2814f521bf5753d6463c2ae7ebbe117b5e2
Instruction Fuzzy Hash: 925114B2A00200CFC724DF58FD856B537B7F794311B21E05AE446872B8EB3999A1CF89

Function 006B7307 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 006B740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006B7525

Part of subcall function 006D2290: ReleaseMutex.KERNEL32(006B2A8B,?,006B2A8B,00000128), ref: 006D22E7

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 9da20e020dfc9e1dfcdf1a24582448de3387ba3833d132ee8ccb1cad2adab022
Instruction ID: b7465d91399df05b2100613fa596ec768d064f8c54ccd2435f83bc827be459bb
Opcode Fuzzy Hash: 9da20e020dfc9e1dfcdf1a24582448de3387ba3833d132ee8ccb1cad2adab022
Instruction Fuzzy Hash: DB5124B2A00100CFC724DF58FD855B537B7F794311B21E05AE446872B8EB3999A1CF89

Function 006D1510 Relevance: 3.1, APIs: 2, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(006B80AE,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,006B80AE), ref: 006D1592
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 006D163E

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: 089efee157a54d4fb058cc72df9044af01b895131db2f2470101f7c408667b76
Instruction ID: 626333c31eaae83b7faacce63b477455d22f59ed124b8862b04912adda24afa4
Opcode Fuzzy Hash: 089efee157a54d4fb058cc72df9044af01b895131db2f2470101f7c408667b76
Instruction Fuzzy Hash: 45410372A02245EFCB249FA4FCC89A87FB6FB51300B61C19AD44197375DB784566CF18

Function 006E59B0 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,006CFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E59C3
RtlFreeHeap.NTDLL(00000000,?,006CFA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E59CA

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 6dc39fb5123c9323908d35c60a6b6761e707269d63417ab9052367064d9b8a4b
Instruction ID: f78b0b9bf0dddf565bc183c41668c765ff4d99fca18fde11f53037228844464e
Opcode Fuzzy Hash: 6dc39fb5123c9323908d35c60a6b6761e707269d63417ab9052367064d9b8a4b
Instruction Fuzzy Hash: 18D0C9710483449FC7505BA9EC49B263BADAB1961AF419050F60A89160C7356861CF68

Function 006D5535 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D6BE0: GetStdHandle.KERNEL32(000000F6,?,?,006D5560), ref: 006D6C12
Part of subcall function 006D6BE0: GetStdHandle.KERNEL32(000000F5,?,?,006D5560), ref: 006D6C6A
Part of subcall function 006D6BE0: GetStdHandle.KERNEL32(000000F4,?,?,006D5560), ref: 006D6D53

ExitProcess.KERNEL32 ref: 006D561B

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: 40e1edfecfced10a82eb077f4e63e7959e430dce027f2fa6888adf90ad04328f
Instruction ID: 8a8ddfced0c29ee5908fab9e357ec8a6feb192206ce43ed13c522406467a7340
Opcode Fuzzy Hash: 40e1edfecfced10a82eb077f4e63e7959e430dce027f2fa6888adf90ad04328f
Instruction Fuzzy Hash: 8511EB72A11B41CFDB10AF34FD8649937A7F75434131AD415E442CA676EA3CC952C749

Function 006BC9B0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 006BC9E8

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 89fdc715fcebb410cd6646569814aabd78de50b5056baa48530c8f06f4cba81e
Instruction ID: 44f0273da18f75f2564d6857efcb45df318d76850c617c8abf6a39322c98cd3a
Opcode Fuzzy Hash: 89fdc715fcebb410cd6646569814aabd78de50b5056baa48530c8f06f4cba81e
Instruction Fuzzy Hash: 82E0E2B8510708CFD304DFA5FD858393B7AFB88700301E016E80886671C738A981CF9E

Function 006D8A10 Relevance: 1.3, APIs: 1, Instructions: 72stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,006B220B,?,?,?), ref: 006D8A81

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 95836602477e8882e3c3a0e9b3a098538ca9fbf04f44624555a5b5485aeaf4c8
Instruction ID: dc6010a9cb5c8354de68a8a68e84e470c8d146f6698ec3c07a797fabd3784d2c
Opcode Fuzzy Hash: 95836602477e8882e3c3a0e9b3a098538ca9fbf04f44624555a5b5485aeaf4c8
Instruction Fuzzy Hash: 0A213B71A01554DFD3189F68FC9C0B53BB6F388321351D017D546C62B8EB744862C748

Non-executed Functions

Function 006B53B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 006B546E
CreateServiceA.ADVAPI32(00000000,00C9E230,00C9E230,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 006B54BD
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 006B5503
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 006B5533
CloseServiceHandle.ADVAPI32(00000000), ref: 006B5593
OpenServiceA.ADVAPI32(00000000,00C9E230,00000010), ref: 006B55DE
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 006B566C
CloseServiceHandle.ADVAPI32(00000000), ref: 006B567D
CloseServiceHandle.ADVAPI32(00000000), ref: 006B56CC

Strings

|Sxz, xrefs: 006B5442

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID: |Sxz
API String ID: 3525021261-962673421
Opcode ID: 6e8e243581ceb9d1fd3fa0bb88a632a0887ef7b17a063ae6af62124530f90c73
Instruction ID: 6a839adfeb093ac0c3f72eff4f713fa5f238ede9b3b1d4df0f0e60c7895cbf70
Opcode Fuzzy Hash: 6e8e243581ceb9d1fd3fa0bb88a632a0887ef7b17a063ae6af62124530f90c73
Instruction Fuzzy Hash: E4810071A01701DFD324CF24FD857B53BB2F794311F10E016E4429A6B5EB3898A2CB99

Function 006C62D0 Relevance: 7.9, APIs: 5, Instructions: 424serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 006C643A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 006C64AC
GetLastError.KERNEL32 ref: 006C64C1
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 006C65D1
CloseServiceHandle.ADVAPI32(00000000), ref: 006C6829

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: f16f6677f630127708115285ceff36333c0a109850898d16501905ec1b2afff9
Instruction ID: e2124163e19a1985d25b649d7fffe4d0308eb0ce03b3292e1dc4467af8c8f534
Opcode Fuzzy Hash: f16f6677f630127708115285ceff36333c0a109850898d16501905ec1b2afff9
Instruction Fuzzy Hash: 45027BB2A01201DFC714EF65FD896B53BB2FB94310B21D109E085972B5EB3849A6CF9D

Function 006B3740 Relevance: 7.7, APIs: 5, Instructions: 236filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,00000001), ref: 006B38AD
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006B39A7
DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006B3AB9
FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006B3AD1
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006B3AF2

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 20000b4417b8fbd9f34b392c56e4f6659981701e3a2db7b65c95967fd2ffc560
Instruction ID: df471f50bb62dc9f675c6d0eec0c4ea14e11e2955ff77d161f32f87c59dce4c2
Opcode Fuzzy Hash: 20000b4417b8fbd9f34b392c56e4f6659981701e3a2db7b65c95967fd2ffc560
Instruction Fuzzy Hash: 69A104B1600215CBD324DF25FC955FA37B6FB94300B11E11AE442CB3B5EB789AA1CB99

Function 006BCA00 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 426pipeprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006BCB8A
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 006BCBD0
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006BCC2C
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 006BCCA8
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 006BCE0D
CloseHandle.KERNEL32(?), ref: 006BCE48
CloseHandle.KERNEL32(?), ref: 006BCE70
CloseHandle.KERNEL32(?), ref: 006BCEA0
CloseHandle.KERNEL32(?), ref: 006BCEB8
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 006BCFA0
CloseHandle.KERNEL32(?), ref: 006BCFD3
CloseHandle.KERNEL32(?), ref: 006BCFEE
WaitForSingleObject.KERNEL32(?,00002710), ref: 006BD09F
CloseHandle.KERNEL32(?), ref: 006BD0B3
CloseHandle.KERNEL32(?), ref: 006BD0EB

Strings

S')G, xrefs: 006BCC05
D, xrefs: 006BCCEF

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
String ID: D$S')G
API String ID: 1130065513-1494146028
Opcode ID: a33cbc030fff3d76146861c10dbb59a340266b50a23f3978a7256a7da83f807a
Instruction ID: bbb0b975136026e87f7ba2e5b0505d9a600026039bd81947989b3b20d4760fff
Opcode Fuzzy Hash: a33cbc030fff3d76146861c10dbb59a340266b50a23f3978a7256a7da83f807a
Instruction Fuzzy Hash: 650215B1A00204DFD724DF64FD89AB93BB6FB98310B11D119E542972B8E7388962CF5D

Function 006D3F70 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 383processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006D40AF
Process32First.KERNEL32(00000000,?), ref: 006D4187
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 006D43B2
Module32First.KERNEL32(00000000,?), ref: 006D43F6
CloseHandle.KERNEL32(00000000,0000000A,?,00000000), ref: 006D454D
Process32Next.KERNEL32(?,00000128), ref: 006D4584
CloseHandle.KERNEL32(00000000), ref: 006D45FA

Strings

"L=/, xrefs: 006D41BA

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID: "L=/
API String ID: 930127669-2479274474
Opcode ID: 9c0bba08dfba2ea4255f130d7633a1ce80a62d94dd5fc7c456e25e1724d9ca12
Instruction ID: da7aad4ad3f51cc57978785fd4e24f513d61ba4b321944a10c03e4c2af16ddf4
Opcode Fuzzy Hash: 9c0bba08dfba2ea4255f130d7633a1ce80a62d94dd5fc7c456e25e1724d9ca12
Instruction Fuzzy Hash: BCF12871A00204DFD724DF24FD896B53BB7F794310B11D15AE4869A2B4EB3949A2CF8D

Function 006B6000 Relevance: 12.2, APIs: 8, Instructions: 208registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00C9E230,Function_00001140), ref: 006B611E
SetServiceStatus.ADVAPI32(00000000,00719C20), ref: 006B617F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006B6193
SetServiceStatus.ADVAPI32(00000000,00719C20), ref: 006B6200
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 006B626C
SetServiceStatus.ADVAPI32(00000000,00719C20), ref: 006B6322
CloseHandle.KERNEL32(00000000), ref: 006B6341
SetServiceStatus.ADVAPI32(00000000,00719C20), ref: 006B63F1

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: b3860d187b9a74f830487675b0be7f7452a8ad045c5462897e87f80949881487
Instruction ID: 4a4e25c70339f450ceead9a119cc70e60674d4664a4fc8bcbd9f6ab3c7048e6e
Opcode Fuzzy Hash: b3860d187b9a74f830487675b0be7f7452a8ad045c5462897e87f80949881487
Instruction Fuzzy Hash: 0EA165B1A01200CFD354CF29FDA98A53BF6F798710701E41AE1868B6B5DB389892CF5D

Function 006BB1D0 Relevance: 10.8, APIs: 7, Instructions: 282fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006BB2EE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 006BB326
CloseHandle.KERNEL32(00000000), ref: 006BB33F
GetTickCount.KERNEL32 ref: 006BB37C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006BB558
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 006BB5AB
CloseHandle.KERNEL32(00000000), ref: 006BB5BC

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: ef2f8bf7bcb214f1ba98b35cb1e8da2c3253b170e18ad369b01d92e64cbca631
Instruction ID: a764d35ddaac012ac7dc5571993628f1aff9f219d6170cd4977853a62becf630
Opcode Fuzzy Hash: ef2f8bf7bcb214f1ba98b35cb1e8da2c3253b170e18ad369b01d92e64cbca631
Instruction Fuzzy Hash: BCB105B1501201EFD3149F28FD86BB637B7FB95300F10E019E8019B2B5E7759992CB9A

Function 006D8650 Relevance: 7.6, APIs: 5, Instructions: 99synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,006B9ED1,006D0DB0,00000001,?), ref: 006D873E
CreateThread.KERNEL32(00000000,00000000,00000001,?,00000000,00000000), ref: 006D876D
CloseHandle.KERNEL32(00000000,?,006B9ED1,006D0DB0,00000001,?), ref: 006D877E
WaitForSingleObject.KERNEL32(?,000000FF,?,006B9ED1,006D0DB0,00000001,?), ref: 006D8793
CloseHandle.KERNEL32(?,?,000000FF,?,006B9ED1,006D0DB0,00000001,?), ref: 006D87B7

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 3cef6797830397e95c399f1ce163034e70a3a4733c674d453cee39635eddda90
Instruction ID: e3b7268c6bc0905af92f2f5683119eb5d5517801007faa241d6fbca16dea7cb2
Opcode Fuzzy Hash: 3cef6797830397e95c399f1ce163034e70a3a4733c674d453cee39635eddda90
Instruction Fuzzy Hash: D041D0B1A00301EBD7156F25FD487A03BB1F754350F21D40AE584962B4EB3E84A2CF8D

Function 006D26B0 Relevance: 6.3, APIs: 4, Instructions: 281fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006D2807
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 006D28C5
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 006D29CC

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 6e21e1136650f7952cd5ffb23dbf866c1836a6896f8c7aa9e84cb00ac9defaa9
Instruction ID: 52035534812f8973d8715eb3cff9700e1e27fa1143919eddd60ead3a7cc4112f
Opcode Fuzzy Hash: 6e21e1136650f7952cd5ffb23dbf866c1836a6896f8c7aa9e84cb00ac9defaa9
Instruction Fuzzy Hash: A2B1E2B5A00205DFD714DF28FC956B537B7F798300B10E41AE4429A2B4EB799966CF8C

Function 006D3790 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,006CFAC0,00000000,?), ref: 006D381D
RtlReAllocateHeap.NTDLL(00000000,?,006CFAC0,00000000), ref: 006D3824
GetProcessHeap.KERNEL32(00000000,?,?,006CFAC0,00000000,?), ref: 006D3842
HeapAlloc.KERNEL32(00000000,?,006CFAC0,00000000,?), ref: 006D3849

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 4b165511f661dbc0bd354d3141d8aae799f8fc5c2acbdaf9b4ef13d5b17fdffe
Instruction ID: 3d68e74eb6c1fe1655022ee3f84939fa8f1c598258cc95f708b1898ba5ea0ca6
Opcode Fuzzy Hash: 4b165511f661dbc0bd354d3141d8aae799f8fc5c2acbdaf9b4ef13d5b17fdffe
Instruction Fuzzy Hash: 611108F2A04704DFD714AFA4FD986B63BB7FB84300701A105E10A8A774EB359951DFAA

Function 006E4650 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(J,k,00000001,?,?,006B2C4A), ref: 006E473C
GetTickCount.KERNEL32 ref: 006E484A

Strings

J,k, xrefs: 006E4736, 006E4739

Memory Dump Source

Source File: 00000009.00000002.2064462892.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000009.00000002.2064445243.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064493303.00000000006E7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.00000000006EC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000721000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2064510452.0000000000730000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000009.00000002.2065030668.0000000000732000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b0000_xmjofjnkdlv.jbxd

Similarity

API ID: CountSystemTickTime
String ID: J,k
API String ID: 2164215191-1629291130
Opcode ID: f9ff790c767037c9ad72f59a3761c972089098c13c2c79af734301ec18dc06bb
Instruction ID: 1b489159664b2c6151adcb45518ff3303fa041b91e67d8871ebd6749294ddfb6
Opcode Fuzzy Hash: f9ff790c767037c9ad72f59a3761c972089098c13c2c79af734301ec18dc06bb
Instruction Fuzzy Hash: 00513172612241CBD324CF69FD811B633F3FBA5310314D12AE445CA6B8E7399891CB8D

Analysis Process: skjlipudplp.exePID: 788, Parent PID: 6028COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1543
Total number of Limit Nodes:	20

Executed Functions

Function 0102D0EB Relevance: 59.9, APIs: 28, Strings: 5, Instructions: 2186synchronizationsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 010359B0: GetProcessHeap.KERNEL32(00000000,00000000,?,0101FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 010359C3
Part of subcall function 010359B0: RtlFreeHeap.NTDLL(00000000,?,0101FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 010359CA

Part of subcall function 01034650: GetSystemTime.KERNEL32(01002C4A,00000001,?,?,01002C4A), ref: 0103473C

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 0102D651
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0102D721
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0102D76D
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0102D7A4
GetTickCount.KERNEL32 ref: 0102D82E
Sleep.KERNEL32(00000D05), ref: 0102DE9B
Sleep.KERNEL32(000003E8), ref: 0102E039
GetCommandLineA.KERNEL32 ref: 0102D9EB

Part of subcall function 0100C9B0: ExitProcess.KERNEL32 ref: 0100C9E8

Part of subcall function 01024990: CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 01024A04

Strings

U"Kd, xrefs: 0102F765
l, xrefs: 0102E388
0K[, xrefs: 0102D7D4, 0102D7DB
C:\Users\user, xrefs: 0102D642
Qt$[, xrefs: 0102F2C5

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Create$Mutex$HeapProcessSleep$CommandCountEnvironmentExitFileFreeLineSystemTickTimeVariable
String ID: 0K[$C:\Users\user$Qt$[$U"Kd$l
API String ID: 2753435600-2796795470
Opcode ID: 1733d314f67a284f9eb0dbb683217ba8c79874f5aa501c1dc1fb94cb0114e315
Instruction ID: 4bedc4a350083f5aadf4a2a8212a99d50bb8d990916a990e4bc9a600f3a82cb0
Opcode Fuzzy Hash: 1733d314f67a284f9eb0dbb683217ba8c79874f5aa501c1dc1fb94cb0114e315
Instruction Fuzzy Hash: DE13F3B9A00211DFD734EF65FA896A53BB5F794310B11811AE5C2A729CEB3F9860CF41

Function 01007FA0 Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 990
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(01080FB0), ref: 0100808B
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 010081E4
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 01008408
RemoveDirectoryA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 01008433
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 010084CC
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010085D1
CreateDirectoryA.KERNEL32(?,00000000), ref: 0100896A
CreateDirectoryA.KERNEL32(?,00000000), ref: 01008A1A

Part of subcall function 01020CF0: wvsprintfA.USER32(00001237,005B48A8,005BB4C8), ref: 01020D77

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 01008C2E

Part of subcall function 01022260: lstrlen.KERNEL32(?,?,01007614,?,?,C:\vdjmzgowdzhfmld\,?,?,010017C4,?), ref: 01022283

CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 01008DEE
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 01008F47
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 010090F7

Strings

C:\vdjmzgowdzhfmld\, xrefs: 0100850F, 0100899C, 01008D95, 01008F5E
C:\Users\user, xrefs: 010087D1, 0100886D
\, xrefs: 01008CD5

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersionlstrlenwvsprintf
String ID: C:\Users\user$C:\vdjmzgowdzhfmld\$\
API String ID: 2935959199-2236001584
Opcode ID: 53ce4fb550e055c050bd2b5884649aa32bb7fe1b1c004bacb81267589ea70791
Instruction ID: 6de0ab51449f5f8b816c3f67e8aabc4802f2af6270d8a561b4931006ed096f07
Opcode Fuzzy Hash: 53ce4fb550e055c050bd2b5884649aa32bb7fe1b1c004bacb81267589ea70791
Instruction Fuzzy Hash: E89212B5E00206DFE730AF24FA896A53BB4FB94300F018156E5C2A619DEB3F45A5CF95

Function 010256A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,01018C4F,02053FC0,?,?,?,?,010255F4), ref: 010256EE
RtlAllocateHeap.NTDLL(00000000,?,01018C4F,02053FC0,?,?,?,?,010255F4), ref: 010256F5

Strings

|Q.H, xrefs: 010256C8

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: |Q.H
API String ID: 1357844191-517162033
Opcode ID: 9b898cc283a7b23a3018c1489df5082d28e112076423c1fee4348c908bebf6e4
Instruction ID: 64cca39fef1536bccfec60f6279284747aa86e88051ddd65a6c921fab1c196ea
Opcode Fuzzy Hash: 9b898cc283a7b23a3018c1489df5082d28e112076423c1fee4348c908bebf6e4
Instruction Fuzzy Hash: FDE0E5B400435BDFD7304F58F98C9AA7F68F3097217004040F5C6CB208CA3F80908B25

Function 010070D0 Relevance: 4.8, APIs: 3, Instructions: 285
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01028570: WaitForSingleObject.KERNEL32(?,00004E20,?,0100264E,0000010C,00000000,00000001,?,?,01021B87,010017D5,?), ref: 010285D7

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 010071F7
WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 0100740F

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CreateObjectSingleWaitWrite
String ID:
API String ID: 3285871581-0
Opcode ID: c147c77ac172b7ec467522fe5d14b611dcb874dc1e976b1b610871d77e0872ee
Instruction ID: 8140b07d882c1591ae93c1217147fd4e8b0fc001e496178950084660f7966325
Opcode Fuzzy Hash: c147c77ac172b7ec467522fe5d14b611dcb874dc1e976b1b610871d77e0872ee
Instruction Fuzzy Hash: 02C1F1BAE01201DFE734DF65FA8566637B4F788311B118056E5C6A729CE73F98A0CB81

Function 01007307 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 0100740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01007525

Part of subcall function 01022290: ReleaseMutex.KERNEL32(01002A8B,?,01002A8B,0000010C), ref: 010222E7

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 74ff73ac17f179951c0f225215b1bc91c6f151b1f54a385ec22543ec979c5ede
Instruction ID: 950d70cdfb996307a46d4ca728a14323fe9de522fa18c897275bf675fc3122fd
Opcode Fuzzy Hash: 74ff73ac17f179951c0f225215b1bc91c6f151b1f54a385ec22543ec979c5ede
Instruction Fuzzy Hash: B051E0BAE00101CFE734DF58EA845A93BB5F794301B118456D5C2A729CEB3FA960CF81

Function 01007309 Relevance: 3.1, APIs: 2, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(00000000,?,00005000,00005000,00000000,?,?,?,?,?,?), ref: 0100740F
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01007525

Part of subcall function 01022290: ReleaseMutex.KERNEL32(01002A8B,?,01002A8B,0000010C), ref: 010222E7

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CloseFileHandleMutexReleaseWrite
String ID:
API String ID: 157576396-0
Opcode ID: 7095607bdd28aeec8a9f342aca498d0d96d1fa11cd36325e8728380aaa002ad4
Instruction ID: 0ca9068236d08e55b4e6f0611f394b2fd1c4adb373f897e4e74cecd55a2f29a5
Opcode Fuzzy Hash: 7095607bdd28aeec8a9f342aca498d0d96d1fa11cd36325e8728380aaa002ad4
Instruction Fuzzy Hash: 9551DFBAE01101CFE734DF54EA846A93BB5F794301B158456D5C2A729CEB3FA960CF81

Function 01021510 Relevance: 3.1, APIs: 2, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(010080AE,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,010080AE), ref: 01021592
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0102163E

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: aa11307bd8590409cdcc95a2e2a4f8b630acb8278610a4aab299388780e9a110
Instruction ID: c305d2dc710fce832156ef34a693ab66b7d5ad9dc83f9ee7c26428406653faeb
Opcode Fuzzy Hash: aa11307bd8590409cdcc95a2e2a4f8b630acb8278610a4aab299388780e9a110
Instruction Fuzzy Hash: A841AAB6E01249EFCB358FA4EA989A87FB4FB14300B558489D4C2A725DDB7B0564CF50

Function 010359B0 Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,0101FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 010359C3
RtlFreeHeap.NTDLL(00000000,?,0101FA98,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 010359CA

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8d635752ed22f0e411fb950531164aadc0dcc20737cc44c1ebe9e613f47f9507
Instruction ID: 368485dc921ab07017cb752a2fc68f80049d67ce8571d6c576580604a83bbb4d
Opcode Fuzzy Hash: 8d635752ed22f0e411fb950531164aadc0dcc20737cc44c1ebe9e613f47f9507
Instruction Fuzzy Hash: C4D012B4444344DFC7309FA9EC4AB163BACEF1971AF058050F58AD9158C73BA851CF64

Function 01015770 Relevance: 1.7, APIs: 1, Instructions: 168
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 01015933

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4bb3d7fec7aef94c490bb31496bf7701093fc9c0f743d0b10a4b6cdf0e84d02b
Instruction ID: 41441875acd5347e902a488cc65a56046f8a18cd2cf03803e5c84684c32b1048
Opcode Fuzzy Hash: 4bb3d7fec7aef94c490bb31496bf7701093fc9c0f743d0b10a4b6cdf0e84d02b
Instruction Fuzzy Hash: E57144B6E01709DBE774AF20F9896A53BB0F799310F518445D5C2A619CEB3F88A0CF85

Function 01025535 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01026BE0: GetStdHandle.KERNEL32(000000F6,?,?,01025560), ref: 01026C12
Part of subcall function 01026BE0: GetStdHandle.KERNEL32(000000F5,?,?,01025560), ref: 01026C6A
Part of subcall function 01026BE0: GetStdHandle.KERNEL32(000000F4,?,?,01025560), ref: 01026D53

ExitProcess.KERNEL32 ref: 0102561B

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Handle$ExitProcess
String ID:
API String ID: 256993070-0
Opcode ID: fa130dd8523c06eec62810035365a96c1ce9a108c6e34cd1c33df9718e8c350c
Instruction ID: 829fd3b164e46a8bbf7fd4a0f4916df3e79b404af766f5f8c4e993331954f09f
Opcode Fuzzy Hash: fa130dd8523c06eec62810035365a96c1ce9a108c6e34cd1c33df9718e8c350c
Instruction Fuzzy Hash: 811136B7E00602CFEB30AF34FA8509937AAF7A83513168005D4C2EB25CEA3F8951CB54

Function 0100C9B0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0100C9E8

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d5496fd3e2d5264d49161e148cb2f1fbabac6267f374e11a5b71218fe2ab9a6a
Instruction ID: 6029afe76980e654f74749161c9f78d0266133145e4808de933239bcf57895ac
Opcode Fuzzy Hash: d5496fd3e2d5264d49161e148cb2f1fbabac6267f374e11a5b71218fe2ab9a6a
Instruction Fuzzy Hash: 25E0E2B8A10308CFC324DF25F5844297B78FB98A017018005E9C59725CD67EA850CF99

Function 01028A10 Relevance: 1.3, APIs: 1, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,00000000,?,0100220B,?,?,?), ref: 01028A81

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 911931578073fc8da02665f8aae67cac1b27056a7029ad23ab01a2ab288a422e
Instruction ID: cddd6dbfcfcee1f92b6ee6eb92acfa4306565c04719cc2b32e0f228edeba1e7a
Opcode Fuzzy Hash: 911931578073fc8da02665f8aae67cac1b27056a7029ad23ab01a2ab288a422e
Instruction Fuzzy Hash: FA21E5BDA01514DFE3749F68F6980657BE8F38D321350811AE5C6D25ACEB3F48A1C740

Non-executed Functions

Function 01003740 Relevance: 7.7, APIs: 5, Instructions: 236filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,00000001), ref: 010038AD
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 010039A7
DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01003AB9
FindNextFileA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01003AD1
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01003AF2

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 243fbfa415f855e133a75d6a68aa29832df42d316f13587a92255d1c666d482b
Instruction ID: 2a462c39a32fbf7682e24b5dda6b0fb58b7e4db864c48710c6d606515b3ff842
Opcode Fuzzy Hash: 243fbfa415f855e133a75d6a68aa29832df42d316f13587a92255d1c666d482b
Instruction Fuzzy Hash: 5CA1F3B9A00215CFE375DF24F9955B93BB4FB94300B014155E4C2DA29CEB7F9590CB80

Function 01006000 Relevance: 12.2, APIs: 8, Instructions: 208registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(005B32D8,Function_00001140), ref: 0100611E
SetServiceStatus.ADVAPI32(00000000,01069C20), ref: 0100617F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01006193
SetServiceStatus.ADVAPI32(00000000,01069C20), ref: 01006200
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 0100626C
SetServiceStatus.ADVAPI32(00000000,01069C20), ref: 01006322
CloseHandle.KERNEL32(00000000), ref: 01006341
SetServiceStatus.ADVAPI32(00000000,01069C20), ref: 010063F1

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID:
API String ID: 3399922960-0
Opcode ID: 5c4db4a5a6b8a200d19e400772914418adfbd360b451215274618096712cabd6
Instruction ID: 6e307f253dc94f08f250de59ae5ffc334861aadda9b2a437a1869742f677abd2
Opcode Fuzzy Hash: 5c4db4a5a6b8a200d19e400772914418adfbd360b451215274618096712cabd6
Instruction Fuzzy Hash: 20A176B9A01205CFD374CF25F6D94257BB9F798724715841AE0C2A7AACEB3F94A0CB04

Function 0100B1D0 Relevance: 10.8, APIs: 7, Instructions: 282fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0100B2EE
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0100B326
CloseHandle.KERNEL32(00000000), ref: 0100B33F
GetTickCount.KERNEL32 ref: 0100B37C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0100B558
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0100B5AB
CloseHandle.KERNEL32(00000000), ref: 0100B5BC

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 5c82ba9d16fe9226af136aa790dd753e45f189c3f3710752fc18357855c20a0f
Instruction ID: 12aa2ef44eef6fb4a08248c9bc2b7e4332583a7a81599985d940df92bcc180e2
Opcode Fuzzy Hash: 5c82ba9d16fe9226af136aa790dd753e45f189c3f3710752fc18357855c20a0f
Instruction Fuzzy Hash: 9EB1D2B9A00201DFE335AF68FA8576637B8FB95310F104019E8C1AB29CE73F9951CB95

Function 01024990 Relevance: 9.2, APIs: 6, Instructions: 177filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 01024A04
GetFileTime.KERNEL32(00000000,?,?,?), ref: 01024A4E
CloseHandle.KERNEL32(00000000), ref: 01024A6B

Memory Dump Source

Source File: 0000000A.00000002.1291546721.0000000001001000.00000020.00000001.01000000.00000005.sdmp, Offset: 01000000, based on PE: true

Associated: 0000000A.00000002.1291523137.0000000001000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291587997.0000000001037000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.000000000103C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001071000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291638546.0000000001080000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.1291704706.0000000001082000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1000000_skjlipudplp.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f409f2ce4d7e8ba2bd03cadb6ece87371546fa97a67fb955096d6f3c95da3641
Instruction ID: 8a35373ffb0edef7c6f9470b7f4ee963f960bc37867efbea4515f735c86ff527
Opcode Fuzzy Hash: f409f2ce4d7e8ba2bd03cadb6ece87371546fa97a67fb955096d6f3c95da3641
Instruction Fuzzy Hash: 5461D2B5A00204DFD734DF65FAC566AB7B8FB88724B10825AE8C2D625CD73F8851CB44

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YiqjcLlhew.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\vdjmzgowdzhfmld\ceoxltnia

C:\vdjmzgowdzhfmld\ceoxltnia

C:\vdjmzgowdzhfmld\kfdag3t9jukjqfngi9xbw.exe

C:\vdjmzgowdzhfmld\skjlipudplp.exe

C:\vdjmzgowdzhfmld\xmjofjnkdlv.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
YiqjcLlhew.exe

Function 00BF7FA0 Relevance: 27.2, APIs: 12, Strings: 3, Instructions: 990
fileCOMMON

Function 00BF3740 Relevance: 7.7, APIs: 5, Instructions: 236
filesleepCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre